Recommendations to Address Cybersecurity in Medical Devices
PITTSBURGH, PA, USA, September 27, 2023
The United States Food and Drug Administration (US FDA) issued the final version of their guidance document titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions – Guidance for Industry and Food and Drug Administration Staff” on September 27, 2023 (referred to as Premarket Guidance or the guidance in this summary). This important guidance document has been revised multiple times over the last several years, starting with the initial release in 2014 through draft releases in both 2018 and 2022. Given the rash of ransomware attacks in healthcare, and the very real threat to patient safety, the need to strengthen the cybersecurity profile of medical devices has never been greater. With legislative authority to enforce these premarket requirements, as per the recent modifications to the Federal Food, Drug, and Cosmetic Act (FD&C Act), FDA is moving quickly to encourage device makers to adopt the recommendations in this guidance document.
In terms of applicability and the devices covered under the guidance, there are multiple categories referenced. The opening sentence of the Scope section notes that the guidance applies to “devices with cybersecurity considerations” but is not limited to devices that have software or to devices that are network-enabled. It then continues with a reference to section 201(h) of the FD&C Act and states that the guidance is applicable to “all types of devices within the meaning…” of that section of the FD&C Act. This includes biological products and devices for which a premarket submission is not required. Combination products are mentioned with FDA directing stakeholders to contact the FDA division that will have the lead reviewer of the combination product. IDE (Investigation Device Exemptions) are covered in detail in Appendix 3 of the guidance.
The SBOM provides transparency to consumers by detailing the software components included in a medical device. Some liken the SBOM to a list of ingredients on a food label. FDA, and others, have been advocating for the adoption of the SBOM, and the Premarket Guidance refers to SBOMs in several places. To begin with, SBOMs are no longer optional. The guidance notes that “For cyber devices, an SBOM is required (see section 524B(b)(3) of the FD&C Act).”
For the contents of an SBOM, FDA references the October 2021 National Telecommunications and Information Administration (NTIA) Multistakeholder Process on Software Component Transparency document. In this document, the minimum elements (baseline elements) are listed as:
In addition to the minimum elements, for each component, manufacturers should include (as part of the SBOM or in an addendum):
By continuously monitoring vulnerabilities associated with device components, the current reactive cybersecurity strategies should evolve to be more proactive. The Premarket Guidance references vulnerabilities and states that “As part of the premarket submission, manufacturers should also identify all known vulnerabilities associated with the device and the software components”
To “demonstrate the effectiveness of a manufacturer’s processes”, FDA recommends the tracking and reporting of specific metrics. The following metrics should be provided in both premarket submissions and PMA annual reports:
Cybersecurity is impactful throughout a device’s lifecycle, and FDA recommends that manufacturers “establish a plan for how they will identify and communicate to users vulnerabilities that are identified after releasing the device in accordance with 21 CFR 820.100”. Manufacturers should note that FDA recommends that this plan be part of the manufacturer’s premarket submissions so that “FDA can assess whether the manufacturer has sufficiently addressed how to maintain the safety and effectiveness of the device after marketing authorization is achieved.”
Cybersecurity management plans should include:
The Premarket Guidance references device labeling as an important consideration and a way to communicate cyber risk effectively to end users. This is an important consideration for manufacturers as they begin to integrate cybersecurity processes into their existing risk frameworks. Here are a few important references in the guidance that should be considered:
This long-awaited guidance from FDA provides a reference for medical device manufacturers as they continue along their cybersecurity journey. Depending on where you are in this journey some parts of this guidance will be more applicable immediately while others will be future implementations. In any case, there is much more content in the 48-page guidance which you can find here.
Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.
Chief Revenue Officer