August 5, 2022
Many medical devices operate as part of a larger system, such as a health care facility network, to provide improved, coordinated patient care. However, increased connectivity means cybersecurity threats can compromise not only individual devices but entire networks, affecting patient care by delaying diagnoses or treatments or even bringing down entire hospital systems for long periods, for example, in the case of severe ransomware attacks.
To safeguard medical devices throughout their life cycle, the Food and Drug Administration issued its April 8, 2022, draft guidance, "Cybersecurity in Medical Devices: Quality System Considerations and Content of Pre-market Submissions." The document provides recommendations for how medical device manufacturers should build cybersecurity into their product designs, as well as how to handle security in pre-market submissions and deploy mitigations for older legacy devices. Once finalized, the guidance would apply to all devices that contain software/firmware, investigational device exemptions, and Software as a Medical Device (SaMD).
Most changes were made to align with existing software pre-market guidance documents and emphasize that cybersecurity should not be an afterthought in the product development life cycle. The new draft guidance differs significantly from previous guidance documents in the following five ways:
- The new document highlights that cybersecurity is part of device safety and quality systems regulation (QSR), and device manufacturers must satisfy the QSR found in 21 CFR Part 820 "to help ensure that their products consistently meet applicable requirements and specifications." The new draft guidance also suggests device manufacturers consider using a secure product development framework to achieve QSR goals and to "reduce the number and severity of vulnerabilities in products."
- The new guidance asks manufacturers to provide a software bill of materials (SBOM) instead of a cybersecurity bill of materials, the latter of which was defined to also include hardware. The new guidance's focus on SBOMs aligns it with President Biden's May 2021 executive order 14028 to enhance U.S. cybersecurity by requiring SBOMs for devices procured by the government.
- The 2022 draft guidance further enhances transparency by asking manufacturers to offer technical information to medical device users and improve labeling. Specifically, the 2022 guidance asks manufacturers to provide device users with "the device's cybersecurity controls, potential risks, and other relevant information" through manuals and other guides to maintain the device's cybersecurity over its life cycle. The guidance also includes labeling suggestions for devices with cybersecurity risks, such as detailed diagrams and descriptions of backup-and-restore procedures.
- Compared to previous guidance, the updated 2022 version emphasizes "threat modeling." This term is shorthand for a combination of understanding threats, vulnerabilities, and cybersecurity risks to systems and fits into the usual process of cybersecurity risk management. Effectively it applies context to the idea of "security." That is, since there is no such thing as a 100% secure system, it does not make sense to say a system is "secure" or "insecure" out of context. Rather, one should ask, "secure against what?" The FDA's emphasis on threat modeling means that manufacturers need to understand their systems in detail, as well as the environments where those systems operate and the potential risks in those environments.
- Other significant changes include eliminating the requirement that manufacturers categorize their products into risk tiers, with higher risk devices falling into Tier 1 and other devices of "Standard Cybersecurity Risk" falling into Tier 2. By eliminating tiers, the 2022 draft guidance sets up a process where documentation is expected to scale naturally with increasing cybersecurity risk.
Generally, it is expected that the new cybersecurity guidance, when finalized, will take a more mature and principled approach to system security by design.
This means manufacturers should carefully consider whether the potential benefits of additional functionality will outweigh potential cybersecurity risks. For example, adding a Wi-Fi or Bluetooth network interface to a medical device may allow connection to a smartphone "app," but do these benefits outweigh the potentially serious risks associated with a network interface? Manufacturers should be ready to prove their cybersecurity analyses to FDA.
How Exponent Can Help
Exponent's multidisciplinary team of software, in vitro diagnostic, and medical device professionals develop safety information for products and processes that comply with pertinent standards, regulations, and best practices. With expertise in global SaMD regulations, cybersecurity, application security, network security, artificial intelligence/machine learning, CLIA compliance, quality system establishment, and FDA/IVDR/MDR assessments, Exponent can assist with software architecture, failure analysis, software characterization, regulatory submission packages, or due diligence.