FDA Document Details Cyber Expectations for Device MakersRevised Draft Guidance Lists Security Asks for Premarket Medical Device Submissions
The Food and Drug Administration has issued new draft guidance providing updated and detailed recommendations for how medical device makers should address cybersecurity risk in the premarket of their products.
The draft guidance issued Thursday, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, covers a wide range of cybersecurity device design, labeling and documentation issues - including details about threat modeling, security controls and software bills of materials - that the FDA recommends be addressed by manufacturers in their premarket submissions to the agency.
"The new guidance is robust and educational, in specific detail from decades of work, remarkably in layman's terms, providing in-depth considerations for a layered, world-class level of security design thinking," says Michael Holt, president and CEO of healthcare security firm Virta Labs.
The FDA's new draft guidance replaces a previous draft guidance issued in October 2018 that also proposed updates to a final guidance that the FDA issued in 2014, which addressed premarket cybersecurity expectations at the time, the FDA says (see: FDA Calls for Cybersecurity Bill of Materials for Devices).
Since then, however, the cybersecurity landscape - as well as the use of internet-connected medical devices - has evolved dramatically, necessitating changes to the guidance, the FDA says.
"This guidance, once finalized, is intended to reduce regulatory burden by helping industry identify issues related to cybersecurity that should be addressed in the design and development of their medical devices and prepare premarket submissions for those devices."
—Dr. Suzanne Schwartz, FDA
"Cybersecurity threats to the healthcare sector that can render medical devices and hospital networks inoperable have become more frequent and more severe and carry increased potential for clinical impact, such as delaying diagnoses or treatment, and may lead to patient harm," says Dr. Suzanne Schwartz, director of the FDA's Office of Strategic Partnerships & Technology Innovation, Center for Devices and Radiological Health in a statement to Information Security Media Group.
The recommendations contained in the new guidance aim to help ensure medical devices are "sufficiently resilient" to cybersecurity threats, she says.
"This guidance, once finalized, is intended to reduce regulatory burden by helping industry identify issues related to cybersecurity that should be addressed in the design and development of their medical devices and prepare premarket submissions for those devices," she says. "In addition, this guidance will facilitate efficiency in the FDA's review of these submission types."
The FDA's 49-page draft guidance covers a wide range of cybersecurity considerations and actions that medical device makers are recommended to address and document for premarket submissions, including:
- Threat modeling: This means identifying the security objectives, risks and vulnerabilities of a device system and then defining countermeasures to prevent, or mitigate the effects of, threats to the system throughout its life cycle.
- Third-party software components: This includes providing to the FDA - and to customers as part of product "labeling" - a software bill of materials, or SBOMs, containing information about device maker-developed components, as well as third-party purchased, licensed and open-source software.
- Security risk management: This includes providing a report summarizing the manufacturer's risk evaluation methods and processes and including details of the security risk assessment and risk mitigation activities undertaken, controls and the testing to ensure a device is reasonably secure.
- Implementation of security controls: This includes authentication; authorization; cryptography; code, data and execution integrity; confidentiality; event detection and logging; resiliency and recovery; updatability and patching.
- Cybersecurity testing: This includes security requirements, threat mitigation, vulnerability testing and penetration testing.
- Cybersecurity transparency: This includes transparency in labeling relevant security information for users, such as device instructions and product specifications related to cybersecurity controls, a list of network ports and other interfaces that are expected to receive and/or send data, and SBOMs that are available on a continuous basis and are machine-format readable.
- Vulnerability management plans: This means submitting plans for vulnerability communication so that the FDA can assess whether the manufacturer has sufficiently addressed how to maintain the safety and effectiveness of the device after marketing authorization is achieved.
The FDA's Schwartz tells ISMG that based on comments that the FDA received on its previous guidance documents and the agency's own continued experience, several key changes were made in this latest iteration of premarket device draft guidance, including more detailed recommendations, she says.
"The structure of the guidance document has changed to align with a secure product development framework and associated ties to the quality system regulations," she says.
The FDA also removed "risk tiers" that were contained in previous 2018 draft guidance. "The cybersecurity of the healthcare sector depends on the cybersecurity of all medical devices," according to Schwartz. "To ensure that all manufacturers are appropriately addressing cybersecurity risks, the FDA recommends that all manufacturers provide the requested cybersecurity information; however, the amount of cybersecurity documentation is expected to scale with the cybersecurity risk of the device."
Also, the new draft guidance - unlike the draft issued in 2018 - does not refer to "cybersecurity bill of materials," but instead refers to "software bills of materials," she says. "The primary difference between a CBOM and an SBOM, as outlined, is that CBOM also includes hardware. SBOM includes firmware, which is a type of software."
"Because this guidance refers to SBOM, this recommendation does not address hardware considerations as they relate to bill of materials. The guidance itself does provide recommendations on hardware security outside of the SBOM recommendations," Schwartz says.
Also, the new draft guidance aligns with the Biden administration's May 2021 Executive Order 14028 on Improving the Nation’s Cybersecurity, which includes discussions and requirements around SBOM for organizations who supply certain products to the federal government, she says (see: Analysis: How Biden's Executive Order Mirrors FDA's Cyber Plans).
The FDA is collecting public comment on the new draft guidance until July 7, before it begins work on a final version.
Still, despite the detailed update, the draft guidance's recommendations - even when finalized by the FDA - are considered "nonbinding" and voluntary for manufacturers.
"Biggest issue I have, which I had in 2018: This is just guidance," says Mac McMillan, CEO of security and privacy consultancy CynergisTek. "I still say: Convert the guidance into a set of FDA regulations with real teeth. This should not be 'nice to do' or 'nice to have.' It should be: This is what you must do in order to sell your product to healthcare."
In fact, identical bipartisan bills recently introduced into the U.S. Senate and House of Representatives - the Protecting and Transforming Cyber Health Care, or PATCH Act - aim to make changes to the Federal Food, Drug, and Cosmetic Act, empowering the FDA to require manufacturers to implement certain cybersecurity requirements when the makers apply to the FDA for premarket approval of their devices.
Many of the specific proposals of the PATCH Act also track closely with what the FDA is recommending in its new draft guidance - including the call for device makers to submit to the FDA - and provide customers with SBOMs listing the software components contained in their devices.
In any case, the FDA's new guidance "is much more robust and demonstrates the progress we have made over the last decade in talking about and raising issues with medical device security and the inadequacies of the original guidance," McMillan says.
"It recognizes the importance of architectures in these devices and for more thorough testing."
Axel Wirth, chief security strategist at MedCrypt, a medical device security vendor, offers a similar assessment. He says that although it's still in draft form, the update shows continued growth and maturing of the FDA's view on and requirements for cybersecurity with significant enhancements relative to the previous version.
"FDA calls out that any device is part of the larger health system and that a manufacturer has to consider the security interdependencies between parts of the system and the device and vice versa," Wirth says. "Recognizing the evolution in cybersecurity and of cyberthreats, the document emphasizes the need for security best practices to reduce and manage cyber risks."