Recommendations to Address Cybersecurity in Medical Devices
PITTSBURGH, PA, USA, September 27, 2023 The United States Food and Drug Administration (US FDA) issued the final version of their guidance document titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions – Guidance for Industry and Food and Drug Administration Staff” on September 27, 2023 (referred to as Premarket Guidance or the guidance in this summary). This important guidance document has been revised multiple times over the last several years, starting with the initial release in 2014 through draft releases in both 2018 and 2022. Given the rash of ransomware attacks in healthcare, and the very real threat to patient safety, the need to strengthen the cybersecurity profile of medical devices has never been greater. With legislative authority to enforce these premarket requirements, as per the recent modifications to the Federal Food, Drug, and Cosmetic Act (FD&C Act), FDA is moving quickly to encourage device makers to adopt the recommendations in this guidance document.
Scope of Guidance
In terms of applicability and the devices covered under the guidance, there are multiple categories referenced. The opening sentence of the Scope section notes that the guidance applies to “devices with cybersecurity considerations” but is not limited to devices that have software or to devices that are network-enabled. It then continues with a reference to section 201(h) of the FD&C Act and states that the guidance is applicable to “all types of devices within the meaning…” of that section of the FD&C Act. This includes biological products and devices for which a premarket submission is not required. Combination products are mentioned with FDA directing stakeholders to contact the FDA division that will have the lead reviewer of the combination product. IDE (Investigation Device Exemptions) are covered in detail in Appendix 3 of the guidance.
Software Bill of Materials (SBOM) as a Requirement
The SBOM provides transparency to consumers by detailing the software components included in a medical device. Some liken the SBOM to a list of ingredients on a food label. FDA, and others, have been advocating for the adoption of the SBOM, and the Premarket Guidance refers to SBOMs in several places. To begin with, SBOMs are no longer optional. The guidance notes that “For cyber devices, an SBOM is required (see section 524B(b)(3) of the FD&C Act).”
For the contents of an SBOM, FDA references the October 2021 National Telecommunications and Information Administration (NTIA) Multistakeholder Process on Software Component Transparency document. In this document, the minimum elements (baseline elements) are listed as:
- Author Name
- Timestamp
- Supplier Name
- Component name
- Version string
- Component hash
- Unique Identifier
- Relationship
In addition to the minimum elements, for each component, manufacturers should include (as part of the SBOM or in an addendum):
- The software level of support provided through monitoring and maintenance from the software component manufacturer (e.g., the software is actively maintained, no longer maintained, abandoned)
- The software component’s end-of-support date.
Vulnerabilities and Monitoring
By continuously monitoring vulnerabilities associated with device components, the current reactive cybersecurity strategies should evolve to be more proactive. The Premarket Guidance references vulnerabilities and states that “As part of the premarket submission, manufacturers should also identify all known vulnerabilities associated with the device and the software components”
- Should include vulnerabilities identified in CISA’s Known Exploited Vulnerabilities Catalog
- For each vulnerability, manufacturers should describe how the vulnerabilities were discovered to demonstrate whether the assessment methods were sufficiently robust
- For components with known vulnerabilities, MDMs should provide:
- A safety and risk assessment of each known vulnerability (including device and system impacts)
- Details of applicable safety and security risk controls to address the vulnerability
Metrics Required with Submissions
To “demonstrate the effectiveness of a manufacturer’s processes”, FDA recommends the tracking and reporting of specific metrics. The following metrics should be provided in both premarket submissions and PMA annual reports:
- Percentage of identified vulnerabilities that are updated or patched (defect density)
- Duration from vulnerability identification to when it is updated or patched
- Duration from when an update or patch is available to complete implementation in devices deployed in the field, to the extent known
- Averages of the above measures should be provided if multiple vulnerabilities are identified and addressed. These averages may be provided over multiple time frames based on volume or in response to process or procedure changes to increase efficiencies of these measures over time
Cybersecurity Management Plan
Cybersecurity is impactful throughout a device’s lifecycle, and FDA recommends that manufacturers “establish a plan for how they will identify and communicate to users vulnerabilities that are identified after releasing the device in accordance with 21 CFR 820.100”. Manufacturers should note that FDA recommends that this plan be part of the manufacturer’s premarket submissions so that “FDA can assess whether the manufacturer has sufficiently addressed how to maintain the safety and effectiveness of the device after marketing authorization is achieved.”
Cybersecurity management plans should include:
- Personnel responsible
- Sources, methods, and frequency for monitoring and identifying vulnerabilities
- Identify and address vulnerabilities identified in CISA Known Exploited Vulnerabilities Catalog
- Periodic security testing
- Timeline to develop and release patches
- Update processes
- Patching capability
- Description of their coordinated vulnerability disclosure process
- Description of how the manufacturer intends to communicate forthcoming updates and patches
Labeling
The Premarket Guidance references device labeling as an important consideration and a way to communicate cyber risk effectively to end users. This is an important consideration for manufacturers as they begin to integrate cybersecurity processes into their existing risk frameworks. Here are a few important references in the guidance that should be considered:
- “FDA believes that the cybersecurity information discussed in this guidance is important for the safe and effective use of devices and should be included in device labeling”
- “Under section 502(a)(1) of the FD&C Act, a medical device is deemed misbranded if its labeling is false or misleading in any particular.”
- “The device manufacturer should also provide users with whatever information they may need in the device labeling to allow them to manage risks associated with the software components, including known vulnerabilities, configuration specifications, and other relevant security and risk management considerations.”
- “SBOMs can also be an important tool for transparency with users of potential risks as part of labeling”
Summary
This long-awaited guidance from FDA provides a reference for medical device manufacturers as they continue along their cybersecurity journey. Depending on where you are in this journey some parts of this guidance will be more applicable immediately while others will be future implementations. In any case, there is much more content in the 48-page guidance which you can find here.