FDA Seeks Comment on Draft Guidance on Cybersecurity Controls for Medical Devices

Introduction

The Food and Drug Administration (FDA) has released Draft Guidance regarding cybersecurity controls for medical devices on which it is seeking comments from interested parties. The Draft Guidance is aimed at encouraging robust cybersecurity controls designed to ensure the safety of medical devices through the total product lifecycle. Although the Draft Guidance is not binding and does not carry the force of law, it clarifies existing FDA requirements and provides recommendations to manufacturers regarding designing secure devices and the content of premarket submissions related to cybersecurity concerns.

Cybersecurity vulnerabilities can pose serious risks for medical devices and patient safety. For example, in the context of insulin pumps, an unauthorized individual could wirelessly connect to the insulin pump and change the pump’s settings to over deliver insulin or stop delivery completely. Moreover, because devices have evolved to become more interconnected, a cybersecurity threat to one device can compromise the functionality of multiple devices, especially devices running on the same software or utilizing similar components. This can disrupt patient care by delaying diagnoses or treatment.

FDA previously issued final security guidance addressing premarket expectations in 2014, as well as complementary guidance addressing postmarket device management in 2016. However, because of the frequency and severity of cybersecurity threats and the increased connectivity of devices, FDA stressed the need for an updated and iterative approach to medical device security. The 2022 guidance replaces proposed updated guidance released in October 2018 and incorporates input from stakeholders, comments received in 2018, and recommendations from the Health Care Industry Cybersecurity Task Force Report.

FDA is accepting comments and suggestions through July 7, 2022.

Improving Medical Device Security

The Draft Guidance refers to four general principles FDA deems particularly important to the improvement of device cybersecurity. Those principles (which are essentially core theories and topics) are: (1) cybersecurity is part of device safety and the Quality System Regulations; (2) designing for security; (3) transparency; and (4) submission documentation. The Draft Guidance makes a number of recommendations regarding each of these four “principles.”

Cybersecurity is Part of Device Safety

FDA notes that manufacturers must establish and follow quality system requirements to ensure that their products meet applicable requirements and specifications. The relevant quality system requirements are set forth in the Quality System Regulations (QSR) in 21 CFR Part 820. FDA recommends that, within the premarket context, documentation outputs related to QSR requirements may be submitted for devices with cybersecurity risks to demonstrate a reasonable assurance of safety and effectiveness. Regarding the QSR, an emerging issue of note is whether the HIPAA Security Risk Assessment for medical devices must also be part of the QSR. Although the QSR helps to ensure medical devices are safe and effective, requiring HIPAA Security Risk Assessments for medical devices to be part of the QSR would likely destroy privilege.

FDA also recommends that manufacturers establish development processes that account for and address cybersecurity risks. According to FDA, the development “processes should address the identification of security risks, the design requirements for how the risks will be controlled, and the evidence that the controls function as designed and are effective in their environment of use for ensuring adequate security.”¹

Designing for Security

The Draft Guidance makes clear that FDA will assess the adequacy of a device’s security based on the device’s ability to provide and implement the following security objectives throughout the system architecture: (i) authenticity, which includes integrity, (ii) authorization, (iii) availability, (iv) confidentiality, and (v) secure and timely updatability and patchability. FDA further noted that premarket submissions should describe how the identified security objectives are addressed by, and integrated into, the device design.

Transparency

The Draft Guidance stresses that medical devices can be compromised when cybersecurity information is not shared with users. Cybersecurity information may include information that is necessary to integrate the device into the use environment or information users need to maintain the device’s security over its lifecycle. To address these vulnerabilities, FDA recommends that users should be provided with access to information related to the device’s cybersecurity controls, potential risks, and any other relevant information. For example, disclosing cybersecurity vulnerabilities, interfaces and third-party software, and providing ample information for a user to configure or update a device will help to mitigate cybersecurity threats and improve the overall safety and effectiveness of the device. FDA has previously issued guidance aimed at informing patients and caregivers about cybersecurity vulnerabilities and additional information regarding FDA’s recommended best practices in this context can be found here.

Additionally, the Draft Guidance notes that cybersecurity transparency can be achieved through proper labeling and the establishment of vulnerability management plans. Regarding labeling, FDA noted that informing end users of relevant security information will not only help to mitigate cybersecurity vulnerabilities, but will fulfil labeling requirements and is an important aspect of QSR design controls. Examples of labeling include device instructions and product specifications related to recommended cybersecurity controls appropriate for the intended use environment, such as anti-malware software, use of a firewall, or password requirements, and high-level descriptions of device features that protect critical functionality, such as backup mode or disabling ports.

Further, vulnerability management plans can help manufacturers to establish how they will identify and communicate vulnerabilities that are found after a device is released to the user. According to FDA, a vulnerability management plan should also be submitted as part of a premarket submission, as this will allow FDA to sufficiently review whether the safety and effectiveness of the device can be maintained after the device is authorized for marketing. Vulnerability management plans should identify: (i) the personnel responsible for identifying and communicating device vulnerabilities; (ii) sources, methods, and frequency for monitoring for and identifying vulnerabilities; (iii) periodic security testing to test identified vulnerability impact; (iv) timeline to develop and release patches; (v) update processes; (vi) patching capability; (vii) a description of the coordinated vulnerability disclosure process; and (viii) a description of how the manufacturer intends to communicate future remediations, patches, and updates to customers.

Submission Documentation

Finally, because cybersecurity design and documentation scales with the cybersecurity risk of a device, FDA recommends that manufacturers be mindful of the larger system in which the device may be used. Devices that are connected to networks or other devices may have greater cybersecurity risks and will therefore require more substantial design controls. Additionally, the documentation provided in the premarket submission may be extensive as manufacturers must demonstrate reasonable assurance of safety and effectiveness.

Implementing a Secure Product Development Framework

The Draft Guidance also discusses the adoption of a Secure Product Development Framework (SPDF) as one method manufacturers may use to manage cybersecurity risks. Given the rapidly evolving nature of cybersecurity threats and increased connectivity of devices, the Guidance stresses the importance of ensuring that medical devices are designed to mitigate risks through the total product lifecycle (TPLC). This is similar to the Software Development Life Cycle (SDLC) process, a well-known and established process used in the software industry. To ensure TPLC considerations are achieved and to increase the overall safety and effectiveness of medical devices, FDA recommends that manufacturers adopt an SPDF.

As noted in the Draft Guidance, an SPDF is a set of processes that help reduce the amount and severity of vulnerabilities in a product. An SPDF can also help to mitigate cybersecurity risks that are introduced by threats directly to the device or the larger system. FDA further recommends manufacturers adopt an SPDF because it can help to ensure that QSR requirements are met. Finally, according to FDA, devices developed based on an SPDF are more likely to be secure by design.

The Draft Guidance also sets forth several recommendations for using the SPDF process and the suggested documentation manufacturers may provide as part of premarket submissions. FDA’s recommendations detail: (i) security risk management, including documentation related to threat modeling, third-party software components, and security assessment of unresolved anomalies; (ii) security architecture, including documentation related to the implementation of security controls, security architecture views, including, at minimum, a global system view, multi-patient harm view, updateability/patchability view, and security use case view; and (iii) cybersecurity testing. Detailed descriptions and specific recommendations related to security controls and their implementation can be found in Appendix 1 of the Draft Guidance. Methods for providing the views and FDA’s expectations for the level of detail that should be provided can be found in Appendix 2 of the Draft Guidance.

The comprehensive nature of the Draft Guidance underscores the importance of including robust cybersecurity controls to ensure medical device safety and effectiveness. As detailed by FDA, given the increased interconnectivity of medical devices and rapidly evolving cybersecurity threats, industry stakeholders and companies must consider how to mitigate risks throughout the TPLC. Moreover, manufacturers seeking premarket approval should be mindful of FDA’s cybersecurity expectations in their premarket submission documentation.

European Approach

In Europe, a parallel effort has produced a more developed and specific regulation. The recently applicable Medical Devices Regulation (MDR) introduced specific provisions on cybersecurity. As well as more detailed provisions on post-market surveillance compared to the previous Medical Devices Directive, the MDR states that devices that incorporate electronic programmable systems and software that are medical devices shall be designed and manufactured to remove or reduce “risk associated with the possible negative interaction between software and the IT environment within which it operates and functions” (the In Vitro Diagnostics Regulation contains similar provisions). There is also a specific chapter, within the general safety and performance requirements that have to be met to obtain a CE mark, that is focused on software design. Manufacturers are required to develop and manufacture devices in accordance with the state of the art, taking into account the principles of risk management, including provisions on information security, and in line with the prescribed minimal requirements on IT security and protection from unauthorised access.

These provisions are further expanded in guidance from the Medical Device Coordination Group (MDCG), a group set up under the MDR to seek consensus among stakeholders on the interpretation of the MDR, and that publishes guidance to this effect. MDCG 2019-16 rev.1 on cybersecurity for medical devices sets out detailed guidance document on how to comply with the MDR cybersecurity requirements.

Data security provisions are included in the General Data Protection Regulation, which seeks to ensure protection of personal data, including from unauthorized cyber-attacks, and the Network Information Systems Directive requires manufacturers to take measures to manage cyber security and report major security incidents. While these requirements are not focused on medical devices, the provisions will apply to medical device manufacturers. The MDCG guidance seeks to set out how these various provisions inter-relate, but is focused on the medical device requirements in the first instance.

Ideally, the new FDA guidance will complement the EU rules so that companies affected by both will be able to maintain controls that meet both sets of standards, rather than having different requirements to meet on each side of the Atlantic.

The comment period for the Draft Guidance closes on July 7, 2022. Manufacturers and other stakeholders should consider whether to submit comments on areas they believe should be modified.

© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.