- The FDA issued its anticipated cybersecurity draft guidance on Thursday, providing a framework for how medical device makers should consider security measures throughout a device's lifecycle. The guidance includes some measures recommended in the FDA's 2018 Medical Device Safety Action Plan, including recommending that manufacturers build in the ability for devices to be updated, and that they develop a Software Bill of Materials to make it easier to keep track of manufacturer-developed and third-party software components.
- The agency also recommends that developers implement a Secure Product Development Framework, a set of processes to reduce the number and severity of vulnerabilities throughout a device's lifecycle.
- Separately, legislation was recently introduced in Congress that would give FDA the authority to implement cybersecurity requirements for manufacturers applying for premarket approval, and require the development of a plan to identify and address postmarket cybersecurity vulnerabilities.
The new cybersecurity guidance would replace a previous draft guidance from 2018, and is intended to emphasize the importance of ensuring that devices are designed securely, an FDA spokesperson wrote in an email.
It's also intended to help mitigate cybersecurity risks throughout the entire lifecycle of a product, and more clearly outline the FDA's recommendations for premarket submissions around cybersecurity.
Previously, the FDA had written a guidance in 2014 for its expectations for premarket submissions, and two years later, one on postmarket management of cybersecurity in medical devices.
"However, the rapidly evolving landscape, an increased understanding of emerging threats, and the need for capable deployment of mitigations throughout the total product lifecycle (TPLC) warrants an updated, iterative approach to device cybersecurity," the agency noted in the new guidance.
Per the new guidance, design and documentation in submissions is expected to scale with the cybersecurity risk of a device. For instance, the FDA gave the example of a thermometer: A simple, non-connected thermometer would have limited security risks, and only need a limited security architecture. However, if the thermometer was used as part of a safety-critical control loop, or was connected to other networks or devices, then more substantial design controls and documentation should be submitted as part of the premarket submission.
The FDA also recommends that device manufacturers include documentation of their security architecture in submissions, as well as metrics on their processes for identifying and patching vulnerabilities. At minimum, manufacturers should report the percentage of identified vulnerabilities that are updated or patched, the time from vulnerability identification to update or patch, and the time from when an update or patch is available to complete implementation in devices deployed in the field.
The agency has been seeking more authority to require medical device companies increase cybersecurity information upfront as part of a premarket submission, including a Software Bill of Materials and the capability to update and patch device security into a product's design. The agency also wants to be able to require timely updates and patches for legacy devices, CDRH's Acting Director for Medical Device Cybersecurity Kevin Fu told MedTech Dive last year.
A piece of proposed legislation, the Protecting and Transforming Cyber Health Care (PATCH) Act, would expand security requirements for device manufacturers and introduce requirements for them to monitor and address postmarket cybersecurity vulnerabilities. The bipartisan bill, sponsored by Sens. Tammy Baldwin, D-Wisc., and Bill Cassidy, R-La., was recently introduced in the Senate and there is companion legislation in the House of Representatives.