FDA Finalizes Guidance Just as New Device Cyber Regs Kick InStarting Oct. 1, Agency to Require Secure Dev Framework, Threat Modeling, SBOMs
The Food and Drug Administration has issued final guidance on how medical device makers should approach cybersecurity in their products to meet new requirements for including cyber details in their premarket product submissions.
The document, "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions," offers FDA recommendations for medical device makers on a wide range of product security issues.
They include implementing a secure product development framework to reduce the number and severity of vulnerabilities throughout a device's life cycle, threat modeling, third-party components, and information pertaining to a software bill of materials.
"Cybersecurity threats to the healthcare sector have become more frequent and more severe, carrying increased potential for clinical impact," the FDA wrote in the guidance. "Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the U.S. and globally. Such cyberattacks and exploits may lead to patient harm as a result of clinical hazards, such as delay in diagnoses and/or treatment."
The final guidance was published in the Federal Register on Wednesday, and the FDA's "refuse to accept" policy will take full effect on Oct. 1. The new policy will enable the agency to immediately reject premarket medical device submissions that lack required cybersecurity details.
Required details include a vendor's plan to address postmarket vulnerabilities, a method for coordinated disclosures of exploits, and a software bill of materials, including commercial, open-source, and off-the-shelf software components.
Each premarket product submission must come with "a reasonable assurance" that the device and related systems are secure and that the manufacturer will develop patches to fix bugs.
Refuse to Accept
The FDA's "refuse to accept" policy has existed for years for various products, but it previously didn't apply to the cybersecurity of medical devices (see: Why OT Security Keeps Some Healthcare Leaders Up at Night).
While the FDA's "refuse to accept" policy for the security of premarket medical device submissions officially went into effect March 29, the agency provided a grace period until Oct. 1, during which the FDA was willing to work collaboratively with device applicants to address their cybersecurity deficiencies in the review process (see: FDA Will Begin Rejecting Medical Devices Over Cyber Soon).
Starting Oct. 1, the FDA can immediately refuse to reject premarket submissions that do not contain cybersecurity information required by the agency.
Nonetheless, the finalized guidance still offers some wiggle room for medical device makers whose applications are pending with the FDA at the time of initial publication of the guidelines, as well as those submitted right after initial publication of the document. The guidance says that the FDA intends to work collaboratively with manufacturers of such premarket submissions as part of the FDA review process.
The FDA's enhanced authority over the cybersecurity of medical devices was granted by Congress in the omnibus funding bill signed into law by President Joe Biden on Dec. 29, 2022.
The bill amended the longtime Federal Food, Drug, and Cosmetic Act by adding Section 524B - Ensuring Cybersecurity of Devices, which includes an array of cybersecurity requirements that manufacturers now must meet in their "cyber devices." They include products that can connect to the internet.
Some experts strongly advise device makers to thoroughly read the FDA's new cybersecurity requirements - and carefully consider the agency's recommendations for approaches in addressing those mandates - despite the guidance itself being stamped "non-binding."
"Companies planning an FDA submission would do well to review the 524B and FDA premarket guidance documents to capture key components, including threat model, risk assessment, secure product development framework, postmarket monitoring, assessment and response plan, patches and updates, product testing and SBOM, among others," said Phil Englert, vice president of medical device security at the Health Information Sharing and Analysis Center.
"Defining and balancing the cost components of fluid cyber requirements with the other design demands and constraints of cost, market price, form factor, clinical efficacy, ergonomics, safety, reliability, accuracy, durability, serviceability and others is not an easy task - and guidelines rather than requirements is a temptation many find hard to resist. "
As the FDA's "refuse to accept" policy takes root, device makers should also communicate with the agency "early and often," Englert recommended.
"Discussing your products with FDA prior to submission will help gain valuable insights in what areas FDA is focusing on in addition to providing an opportunity to educate FDA on your methods, rationale and products," he said.
If device makers communicate with the FDA, including about issues of uncertainty, submissions will no longer come in cold but have an air of familiarity," he said. "Additionally, submissions should not only be thorough, well organized and indexed. - each section should be a self-contained whole," he said.
"Repeat information wherever it is appropriate. If your risk assessment indicates no need to mitigate a known vulnerability, repeat the rationale and decision-making process in both the risk assessment and the SBOM/vulnerability exploitability exchange, putting pertinent information when and where it is useful."
The FDA issued a draft version of the premarket medical device cybersecurity guidance in April 2022.
The finalized document this week also supersedes an earlier FDA guidance - Content of Premarket Submissions for Management of Cybersecurity in Medical Devices - issued in October 2014 (see: FDA Issues Medical Device Security Guide).
"The world has changed a lot since FDA issued its first cybersecurity engineering guidance document a decade ago," said Kevin Fu, director of the Archimedes Center for Health Care and Medical Device Cybersecurity at Northeastern University and a former FDA adviser.
"This new guidance significantly modernizes the expectations of medical device cybersecurity engineering because of the increased cybersecurity risks and threats to healthcare delivery," he said.
"Manufacturers who invested in cybersecurity engineering programs leveraging FDA guidance and the Health Sector Coordinating Council's Joint Security Plan will be better prepared for this widely anticipated change," Fu said.
On the other hand, "manufacturers without strong cybersecurity expectations by the board of directors are likely to struggle in the marketplace because cybersecurity begins with strong leadership."