The U.S. Food and Drug Administration (FDA) recently issued a dense, 24-page draft guidance, titled "Content of Premarket Submissions for Management of Cyber Security in Medical Devices" (the guidance). The guidance notes that cybersecurity incidents have "rendered medical devices and hospital networks inoperable"1 and that the "need for effective cybersecurity to ensure medical device functionality and safety has become more important…"2
The FDA previously issued a final guidance in 2014, but notes that the "rapidly evolving landscape, and the increased understanding of threats and their potential mitigations" necessitated an updated approach. The FDA intends the guidance, when finalized, to replace 2014 final guidance.3,4 The guidance takes a principles-based regulatory approach.
The guidance applies to medical devices that contain "software (including firmware)," "programmable logic," and "software that is a medical device."5 For devices that contain software, the guidance applies to: Premarket Notifications (i.e., 510(k) submissions—traditional, special, and abbreviated); De Novo requests; Premarket Approval Applications (PMAs); Product Development Protocols (PDPs); and Humanitarian Device Exemption (HDE) applications.6
Regulatory Framework (Tiers 1 and 2)
The guidance defines two tiers of cybersecurity risk. Medical devices have a tier-1 risk if: (i) the device is capable of connecting to another medical or non-medical product network or the internet; and (ii) a cybersecurity incident affecting the device could directly result in harm to patients.7 Examples of tier 1 devices include connected or connectable: implantable cardioverter defibrillators, pacemakers, left ventricle assist devices, brain stimulators, dialysis devices, infusion, and insulin pumps.8
It is worth noting that the guidance's cybersecurity risk assessment is different than the FDA's general categorization of medical devices by risk (i.e., class I, II, and III). For example, a wireless connected insulin pump can be both a class II (intermediate risk) medical device and tier-1 cybersecurity (higher) risk device.
The second tier, or tier 2, is a device for which the criteria for a tier 1 device are not met. We note that outside of the enumerated tier 1 cybersecurity risk devices, when a medical device is connected or connectable, the standard that "a cybersecurity incident affecting the device could directly result in harm to multiple patients" may make it difficult to accurately determine if a medical device is a tier 1 or tier 2 cybersecurity risk. Manufacturers should address the cybersecurity tier in which their device may be fall, and the mitigation factors and testing requirements, with the FDA during prescheduled, pre-submission meetings.
Loss of PHI Not Considered a Patient Harm
Interestingly, for purposes of the guidance, harms such as loss of protected health information (PHI) are not considered patient harms.9 However, loss of PHI may nevertheless violate applicable federal and state laws, including privacy laws and the Health Information Portability and Accountability Act (HIPAA).
A significant part of the guidance is devoted to helping to ensure that a device can be trustworthy.
The guidance states that trustworthy devices: (i) are reasonably secure from cybersecurity intrusion and misuse; (ii) provide a reasonable level of availability, reliability, and operation; (iii) are reasonable suited to performing their intended functions; and (iv) adhere to generally accepted security procedures.10
The guidance provides suggestions for designing and manufacturing a trustworthy device, as well as recommendations for documentation and testing to be included with premarket submissions. The guidance notes that specific protection mechanisms "should prevent all unauthorized device use (through all interfaces); ensure code, data, and execution integrity (subversion of system functionality/safety/security features); and as appropriate, protect confidentiality of data."11
The guidance also discusses labeling considerations for medical devices with cybersecurity risks.12 The guidance provides 14 specific recommendations—recommendation No. 12 is worthy of mention. Recommendation 12 includes providing a Cybersecurity Bill of Materials (CBOM). The CBOM should include, "but not be limited to, a list of commercial, open source, and off-the-shelf software and hardware components to enable device users…to effectively manage their assets…identify vulnerabilities of the device…and deploy countermeasures to maintain the device's essential performance."13
Finally, the guidance identifies documentation that manufacturers should include in premarket submissions—additional to any submitted software verification and validation documentation. This documentation includes design documentation and risk management documentation, including the CBOM.14 The recommended documentation is extensive, and manufacturers should put into place systems to track and compile the materials necessary to comply with the FDA's recommendations.
Medical device manufacturers should extensively plan for, and expect, increased FDA scrutiny of the cybersecurity protections of devices that they have in development, as a prerequisite for gaining FDA clearance or approval. Device manufacturers should therefore assess and address cybersecurity risks early in development, as part of design controls, and continuing throughout the device's lifecycle. Finally, as the comments period for the guidance remains open, device manufacturers should consider submitting comments to help further clarify the pre-submission requirements.
Previously, the FDA issued guidance for premarket submissions for software contained in medical devices, and separately issued guidance for cybersecurity for networked medical devices containing off-the-shelf security.