FDA Releases Medical Device Cybersecurity Draft Guidance

FDA Releases Medical Device Cybersecurity Draft Guidance

In recognition of the increasing prevalence of connected medical devices, and the potential cybersecurity vulnerability of the same, the U.S. Food and Drug Administration (FDA or the Agency) issued on October 18, 2018 a draft guidance, "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" (Draft Guidance).  

FDA Draft Guidance

As the Agency notes in its Draft Guidance, the need for effective cybersecurity to ensure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network-connected devices, portable media (e.g., USB or CD), and the frequent electronic exchange of medical device-related health information.  The Draft Guidance also highlights the fact that cybersecurity threats to the healthcare sector have become more frequent, more severe, and more clinically impactful.  In recent years, cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the US and globally.  Because such cyberattacks and exploits can delay diagnoses and/or treatment and may lead to patient harm, the Agency outlines those cybersecurity-related items it recommends (but does yet require) that sponsors address in medical device premarket submissions.

In the Draft Guidance, FDA focuses on cybersecurity recommendations in the following areas: device design; labeling; and documentation.  With the technical recommendations in its Draft Guidance, the Agency aims to:  (1) ensure better medical device protection against cybersecurity threats that could interrupt clinical operations and delay patient care; and (2) provide a more efficient premarket review process that will better ensure marketed medical devices are protected against cybersecurity vulnerabilities.

The scope of the Draft Guidance is quite broad, covering several types of premarket submissions for medical devices that contain software (including firmware), programmable logic, and software that is considered a medical device, including Premarket Notifications (i.e., 510(k)s); De Novo requests; Premarket Approval Applications (PMAs); Product Development Protocols (PDPs); and Humanitarian Device Exemption (HDE) applications.

The Draft Guidance, once finalized, will replace the Agency’s final medical device cybersecurity guidance from October 2014.  

Ranking Devices Based on Cybersecurity Risk

In the Draft Guidance, FDA defines two "tiers" of devices:

Tier 1 "Higher Cybersecurity Risk": A device is a Tier 1 device if the following criteria are satisfied:

  • The device is capable of connecting (e.g., wired, wirelessly) to another medical or non-medical product, or to a network, or to the Internet; and
  •  A cybersecurity incident affecting the device could directly result in patient harm to multiple patients.

Examples of Tier 1 devices include, but are not limited to, implantable cardioverter defibrillators (ICDs), pacemakers, left ventricular assist devices (LVADs), brain stimulators and neurostimulators, dialysis devices, infusion and insulin pumps, and the supporting connected systems that interact with these devices such as home monitors and those with command and control functionality such as programmers.

Tier 2 "Standard Cybersecurity Risk": A medical device for which the criteria for a Tier 1 device are not satisfied.

The Agency recommends that premarket submissions for Tier 1 devices include documentation demonstrating how the device design and risk assessment incorporate the cybersecurity design controls described in the Draft Guidance.   FDA recommends that submissions for Tier 2 devices include documentation that either: (1) demonstrates each of the specific design features and cybersecurity design controls described in the Draft Guidance have been incorporated; or (2) provides a risk-based rationale for why specific cybersecurity design controls in the Draft Guidance are not appropriate.  Submissions for either tier should also include system diagrams that permit an understanding of how the cybersecurity design elements are incorporated and a summary describing the design features that permit validated software updates and patches as needed throughout the lifecycle of the device.

Designing Trustworthy Devices

For devices with cybersecurity risks, the Draft Guidance recommends that manufacturers design devices that are "trustworthy," as trustworthy devices may be more likely to meet their applicable statutory standard for premarket review and are more likely to remain safe and effective throughout their life-cycle.  Per the Agency, trustworthy devices:

1.    Are reasonably secure from cybersecurity intrusion and misuse;
2.    Provide a reasonable level of availability, reliability, and correct operation;
3.    Are reasonably suited to performing their intended functions; and
4.    Adhere to generally accepted security procedures.

The Draft Guidance provides suggested design features and cybersecurity design controls based on the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity.   Specifically, the Draft Guidance suggests design controls to identify and protect devices assets and functionality and to detect, respond to and recover from cybersecurity risks.

The Draft Guidance also includes suggestions from the Agency with respect to labeling medical devices to communicate relevant security information to end-users.  The labeling recommendations include, but are not limited to:  device instruction and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g., anti-virus software); a description of backup and restore features; infrastructure requirements; description of how forensic evidence is captured, and information concerning cybersecurity end of support, if known.

Commenting on the Draft Guidance; Public Workshop

Interested parties may comment on the Draft Guidance via http://www.Regulations.gov, using docket ID: FDA-2018-D-3443.  The comment period opened on October18, 2018, and will remain open until March 16, 2019.

On January 29-30, 2019, FDA will host a public workshop to discuss and answer questions about the Draft Guidance.  The workshop is an opportunity to provide feedback on the proposed recommendations including recommendations regarding a Cybersecurity Bill of Materials (CBOM), which could become a critical element in identifying cybersecurity assets, threats, and vulnerabilities in the future.  Additional information about the public workshop, including registration instructions, can be found here.

Conclusion

If you have a question regarding an issue raised in this alert, or if you would like to submit comments on FDA’s Draft Guidance, please contact the authors or the Firm attorney with whom you are in contact.