- The FDA issued its anticipated draft cyber security guide on Thursday, providing a framework for how medical device manufacturers should consider security measures throughout a device’s life cycle. The guide includes some measures recommended in the FDA of 2018 medical device safety action plan, including recommending that manufacturers build in the ability to update devices and develop a software BOM to facilitate tracking of manufacturer-developed and third-party software components.
- The agency also recommends that developers implement a secure product development framework, a set of processes to reduce the number and severity of vulnerabilities throughout a device’s lifecycle.
- Separately, legislation was recently introduced in Congress that would give the FDA the authority to implement cybersecurity requirements for manufacturers seeking premarket approval, and would require the development of a plan to identify and address postmarket cybersecurity vulnerabilities.
the new cybersecurity guide it would replace an earlier draft guidance from 2018, and is intended to emphasize the importance of ensuring devices are designed safely, an FDA spokesperson wrote in an email.
It is also intended to help mitigate cybersecurity risks throughout a product’s entire lifecycle, and more clearly outline FDA recommendations for premarket submissions around cybersecurity.
Previously, the FDA had written guidance in 2014 on its expectations for premarket submissions, and two years later one on postmarket management of cybersecurity in medical devices.
“However, the rapidly evolving landscape, a greater understanding of emerging threats, and the need for capable implementation of mitigations throughout the total product lifecycle (TPLC) warrants an updated and iterative approach to cybersecurity of end users. devices,” the agency said in the new guidance.
Under the new guidance, design and documentation in submissions is expected to scale with the cybersecurity risk of a device. For example, the FDA gave the example of a thermometer: a simple, untethered thermometer would have limited security risks and only need a limited security architecture. However, if the thermometer was used as part of a safety-critical control circuit, or if it was connected to other networks or devices, more substantial documentation and design controls must be submitted as part of the pre-market submission.
The FDA also recommends that device manufacturers include documentation of their security architecture in shipments, as well as metrics about their processes for identifying and remediating vulnerabilities. At a minimum, vendors must report the percentage of identified vulnerabilities that are updated or patched, the time from vulnerability identification to update or patch, and the time from when an update or patch is available to complete deployment in devices deployed in the field.
The agency has been looking for more authority requiring medical device companies to augment cybersecurity information up front as part of a premarket submission, including a software bill of materials and the ability to update and patch device security in a product design . The agency also wants to be able to mandate timely updates and patches for legacy devices, CDRH Acting Director of Medical Device Cybersecurity Kevin Fu said. MedTech Dive last year.
One part of the proposed legislation, the Healthcare Cyber Protection and Transformation (PATCH) Act, would expand security requirements for device manufacturers and introduce requirements for them to monitor and address post-market cyber security vulnerabilities. The bipartisan bill, sponsored by Sens. Tammy Baldwin, D-Wisc., and Bill Cassidy, R-La., was recently introduced in the Senate and there is complementary legislation in the House of Representatives.