FDA Seeks Feedback on Medical Device Security Guidance

April 08, 2022 - The US Food and Drug Administration (FDA) is seeking feedback on its medical device security guidance surrounding premarket submission cybersecurity considerations. Stakeholders have until July 7, 2022, to submit feedback for consideration.

The FDA initially released its final guidance regarding premarket expectations in 2014 and additional drafted guidance in 2018. However, the administration explained, the rapidly changing threat landscape “necessitates an updated approach.”

“This guidance is intended to provide recommendations to industry regarding cybersecurity device design, labeling, and the documentation that FDA recommends be included in premarket submissions for devices with cybersecurity risk,” the FDA explained.

“These recommendations can facilitate an efficient premarket review process and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats.”

The guidance cited growing concerns surrounding medical device security, including the increasing number of connected devices and a cyberattack’s ability to disrupt patient care.

By ensuring the safety and security of medical devices prior to entering the market, the FDA hopes to also ensure the security of larger systems within a healthcare organization. It only takes one vulnerable device for a threat actor to gain network access, exfiltrate data, or disrupt workflows.

 The FDA suggested general principles that device manufacturers should follow to ensure quality, safety, and security. For example, device manufacturers should be following Quality System Regulation (QSR) requirements by conducting software validation and risk analyses.

The FDA also recommended that manufacturers implement a Secure Product Development Framework (SPDF), which is a set of processes that aims to reduce the number and severity of vulnerabilities. Transparency, security by design, and thorough submission documentation will help to validate medical device security from a premarket perspective, the FDA suggested.

The guidance also stressed the importance of evaluating third-party software components, utilizing threat modeling, and performing security risk management practices.

In addition, the FDA stressed the need for a software bill of materials (SBOM) for each device and software component.

“A Software Bill of Materials (SBOM) can aid in the management of cybersecurity risks that exist throughout the software stack. A robust SBOM includes both the device manufacturer developed components and third-party components (including purchased/licensed software and open-source software), and the upstream software dependencies that are required/depended upon by proprietary, purchased/licensed, and open-source software,” the guidance stated.

“An SBOM helps facilitate risk management processes by providing a mechanism to identify devices that might be affected by vulnerabilities in the software components, both during development (when software is being chosen as a component) and after it has been placed into the market throughout all other phases of a product’s life.”

The sentiments in the FDA’s guidance are similar to those in the recently introduced Protecting and Transforming Cyber Health Care (PATCH) Act.

Introduced in early April, the PATCH Act would “amend the Federal Food, Drug, and Cosmetic Act to require, for purposes of ensuring cybersecurity, the inclusion in any premarket submission for a cyber device of information to demonstrate a reasonable assurance of safety and effectiveness throughout the lifecycle of the cyber device, and for other purposes.”

If passed, medical device manufacturers will have to create SBOMs and thorough plans for addressing postmarket cybersecurity vulnerabilities.

The increased focus on medical device security shows the need to prioritize cybersecurity and vulnerability management across the healthcare sector.