Blog

FDA Proposes Updates to Medical Device Premarket Cybersecurity Guidance: An Insight

Share:

As connected medical devices increasingly integrate into broader healthcare networks, they offer enhanced patient care coordination. Yet, heightened connectivity also increases cybersecurity risks, potentially jeopardizing not just individual devices but entire networks. Such breaches can disrupt patient care by causing delays in diagnoses or treatments and even paralyze entire hospital systems, as seen in severe ransomware attacks.

In response to these challenges, the Food and Drug Administration issued its draft guidance on to propose specific updates to the FDA's existing guidance titled "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions" (referred to as the "Premarket Cybersecurity Guidance"). Upon finalization, this draft guidance will replace the previous guidance issued on September 27, 2023, to enhance the cybersecurity of medical devices by tackling emerging threats and vulnerabilities across their lifecycle.

The current version of the Premarket Cybersecurity Guidance represents the Agency's present perspective on this matter until this draft guidance undergoes finalization. FDA intends to merge the updates outlined in this draft guidance into the Premarket Cybersecurity Guidance as a comprehensive document after receiving and assessing public feedback on these proposed updates. Sections of the existing Premarket Cybersecurity Guidance are unaffected by these proposed updates and are expected to remain unchanged, aside from minor technical adjustments for consistency.

Section 3305 of the Food and Drug Omnibus Reform Act of 2022 ("FDORA"), passed on December 29, 2022, introduced section 524B "Ensuring Cybersecurity of Medical Devices," to the FD&C Act. According to section 524B(a) of the FD&C Act, individuals submitting a 510(k), Premarket Approval Application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE) application for a device meeting the criteria of a "cyber device," as defined in section 524B(c) of the FD&C Act, are mandated to provide information ensuring compliance with the cybersecurity standards specified under section 524B(b) of the FD&C Act.

[Also read: 5 Tips for Cybersecurity Management for Cloud-Connected Medical Devices]

II. Cyber Devices

FDA proposes adding Section VII to the Premarket Cybersecurity Guidance, outlining the necessary language for Section II. This section delineates the cybersecurity information the FDA considers essential to fulfill obligations under section 524B of the FD&C Act.

A. Obligations under Section 524B of the FD&C Act

As per section 524B(a) of the FD&C Act, any individual, including a manufacturer, submitting a premarket application under pathways such as 510(k), PMA, PDP, De Novo, or HDE for a device meeting the criteria of a "cyber device," as defined in section 524B(c) of the FD&C Act, must include information as required by FDA to ensure compliance with the cybersecurity provisions under section 524B(b) of the FD&C Act.

B. Devices Covered by Section 524B of the FD&C Act

Section 524B of the FD&C Act and its stipulations pertain to "cyber devices." A "cyber device," as defined in section 524B(c) of the FD&C Act, refers to a device: (1) incorporating software validated, installed, or authorized by the sponsor as a component or within a device; (2) capable of internet connectivity; and (3) possessing technological attributes, as validated, installed, or authorized by the sponsor, susceptible to cybersecurity threats.

Partially influenced by definitions recognized by the National Institute for Standards and Technology (NIST) for "software," the FDA considers a "cyber device" any device that includes software, such as firmware or programmable logic. This includes devices capable of connecting to the Internet, intentionally or unintentionally, at any point identified while evaluating the device's threat surface and environment.

It's important to note that if a device can connect to the internet, it can potentially be connected, regardless of whether the device sponsor intended for such connectivity.

FDA regards devices featuring any subsequent capabilities as capable of connecting to the internet. The following list is illustrative, not exhaustive:

  • Wi-Fi or cellular connectivity
  • Network, server, or Cloud Service Provider connections
  • Bluetooth or Bluetooth Low Energy functionality
  • Radiofrequency communications
  • Inductive communications
  • Hardware connectors enabling internet connectivity (e.g., USB, Ethernet, serial port)

C. Documentation Recommendations for Compliance with Section 524B

Manufacturers must furnish documentation per applicable premarket submission types to adhere to the mandates under section 524B of the FD&C Act. The guidance addresses recommendations concerning the requisite documentation for supporting each requirement.

Plans and Procedures (Section 524B(b)(1))

Manufacturers of cyber devices must submit to the FDA a plan consisting of monitoring, identifying, and appropriately addressing postmarket cybersecurity vulnerabilities and exploits, as mandated by section 524B(b)(1) of the FD&C Act. 

The FDA recognizes that coordinated vulnerability disclosure (CVD) and associated procedures could be the following.

  • Coordinated disclosure of vulnerabilities and exploits identified by external entities, including third-party software suppliers and researchers.
  • Disclosure of vulnerabilities and exploits identified by the manufacturer of cyber devices.
  • Manufacturer procedures for executing disclosures of identified vulnerabilities and exploits.

The plans mandated by section 524B(b)(1) of the FD&C Act should outline the timeline, along with justifications, for developing and releasing necessary updates and patches:

  • Section 524B(b)(2)(A) of the FD&C Act mandates that medical device manufacturers provide updates and patches for known unacceptable vulnerabilities on a reasonably justified regular basis.
  • Section 524B(b)(2)(B) of the FD&C Act requires manufacturers of cyber devices to promptly provide updates and patches to the device and related systems to address critical vulnerabilities that could pose uncontrolled risks.

Also, it is recommended that medical device manufacturers anticipate and incorporate appropriate updates to these plans and the processes and procedures discussed in section II.C.2 below as new information emerges. This includes new risks, threats, vulnerabilities, assets, or adverse impacts discovered throughout the product lifecycle. 

To facilitate such efforts, manufacturers should develop or revise relevant documentation (e.g., threat modeling) and maintain it throughout the device lifecycle. This approach enables manufacturers to identify vulnerability impacts after a device is released promptly. It may aid in meeting the patching requirements outlined in section 524B(b)(2)(A)-(B) of the FD&C Act.

Additonally, manufacturer procedures for disclosing vulnerabilities and exploits should encompass informing device users, customers, patients, and other relevant healthcare stakeholders.

The required plans, as well as the processes and procedures outlined in section II.C.2 below, should also, where applicable, consider any disparities in risk management for fielded devices. This includes differences between devices currently on the market and those no longer marketed but still in use. For instance, if an update isn't automatically applied to all fielded devices, there may be varying risk profiles due to different software configurations. Vulnerabilities should be evaluated to determine any differing impacts across all fielded versions to assess patient risks accurately.

Design, Develop, and Maintain Processes and Procedures to Provide Cybersecurity Assurance (Section 524B(b)(2))

Manufacturers must establish and uphold processes and procedures to ensure the medical device's cybersecurity and related systems, as per section 524B(b)(2) of the FD&C Act. This includes controlling manufacturer elements like other devices, updating servers, and connecting healthcare networks. The documentation recommendations provided in the Premarket Cybersecurity Guidance should be utilized to demonstrate compliance with this requirement.

Software Bill of Materials (SBOM) (Section 524B(b)(3))

Manufacturers must furnish an SBOM for cyber devices containing details of commercial, open-source, and off-the-shelf software components, as stipulated in section 524B(b)(3) of the FD&C Act. SBOMs should adhere to the recommendations outlined in Section V.A.4(b) of the Premarket Cybersecurity Guidance.

[Recommended Reading: Understanding the Impact: FDA's Take on AI and ML in Medical Devices]

BioT's Advanced Cybersecurity Package for Cloud-Powered Medical Devices

BioT's comprehensive cybersecurity package for its customers, aligning with the FDA's Section 524B recommendations, includes the following critical documents and procedures to ensure top-tier security for cloud-powered medical devices: 

BioT, with its No-Code, FDA, and HIPAA-compliant cloud-based platform, revolutionizes medical devices into interconnected care solutions. Our team combines expertise in software, in vitro diagnostics, and medical devices to develop safety protocols aligning with relevant standards, regulations, and best practices. +

Cybersecurity Management Plan

Monitoring and Vulnerability Disclosure Plan: A detailed strategy for continuous monitoring, identifying, and addressing postmarket cybersecurity vulnerabilities. This includes a coordinated vulnerability disclosure procedure involving external entities like third-party software suppliers and researchers and disclosures of vulnerabilities identified by BioT.

Update and Patching Schedule: An outlined timeline and justification for developing and releasing updates and patches for known vulnerabilities on a regularly justified cycle, and critical vulnerabilities out-of-cycle to mitigate uncontrolled risks.

Design, Development, and Maintenance Procedures

Processes for Assurance of Cybersecurity: Comprehensive documentation of the methods and procedures designed, developed, and maintained to ensure the device's and related systems' cybersecurity. This includes managing device-controlled elements, software/firmware update processes, and connections to 3rd party networks.

Risk Management Documentation: Adjustments to plans, processes, and procedures as new information on risks, threats, vulnerabilities, assets, or adverse impacts is discovered, ensuring ongoing vigilance throughout the product life cycle.

Software Bill of Materials (SBOM)

Comprehensive SBOM: An SBOM that includes commercial, open-source, and off-the-shelf software components utilized in the device. This SBOM is intended to aid in compliance with Section 524B(b)(3) of the FD&C Act, providing transparency and facilitating vulnerability management and response strategies.

BioT's cybersecurity package is designed to meet and exceed FDA guidelines, providing our customers with the tools and documentation to ensure their medical devices remain secure, resilient, and compliant with the latest cybersecurity standards.

References: https://www.fda.gov/media/176944/download