- The FDA released its forecast draft cybersecurity guidelines Thursday, providing a framework for how medical device manufacturers should consider security measures throughout a device’s lifecycle. The guidelines include some measures recommended in the 2018 FDA report Action plan for the safety of medical devices, in particular by recommending that manufacturers integrate the possibility of updating devices and develop a software nomenclature to facilitate the tracking of software components developed by the manufacturer and third parties.
- The agency also recommends developers implement a Secure Product Development Framework, a set of processes aimed at reducing the number and severity of vulnerabilities throughout a device’s lifecycle.
- Separately, legislation was recently introduced in Congress that would give the FDA the authority to implement cybersecurity requirements for manufacturers seeking premarket approval, and require the development of a plan to identify and address postmarket cybersecurity vulnerabilities.
Overview of the dive:
the new cybersecurity guidelines would replace a previous draft guidance from 2018 and is intended to emphasize the importance of ensuring devices are designed to be safe, an FDA spokesperson wrote in an email.
It is also intended to help mitigate cybersecurity risks throughout a product’s lifecycle and to more clearly outline FDA recommendations for premarket submissions regarding cybersecurity.
Previously, the FDA drafted guidance in 2014 on its expectations for pre-market submissions, and two years later, one on post-market management of cybersecurity in medical devices.
“However, the rapidly changing landscape, a better understanding of emerging threats, and the need for deployment capable of mitigation throughout the Total Product Lifecycle (TPLC) warrant a refreshed and iterative approach to device cybersecurity,” the agency noted in the new guidelines.
Under the new guidelines, design and documentation in submissions should evolve with a device’s cybersecurity risk. For example, the FDA gave the example of a thermometer: a simple unconnected thermometer would have limited security risks and would only need a limited security architecture. However, if the thermometer has been used as part of a safety-critical control loop, or has been connected to other networks or devices, more extensive design checks and documentation must be submitted as part of pre-market submission.
The FDA also recommends that device manufacturers include documentation of their security architecture in submissions, as well as measures on their processes for identifying and remediating vulnerabilities. At a minimum, manufacturers should report the percentage of identified vulnerabilities that are updated or fixed, the time between the identification of the vulnerability and the update or patch, and the time between when an update or a fix is available and full implementation in devices deployed in the field.
The agency was seek more authority require medical device companies to increase cybersecurity information upfront as part of a pre-market submission, including software bill of materials and the ability to update and patch device security in device design a product. The agency also wants to be able to require timely updates and patches for legacy devices, said Kevin Fu, CDRH’s acting director for medical device cybersecurity. MedTech Dive last year.
A bill, the Protecting and Transforming Cyber Health Care (PATCH) Act, would expand security requirements for device makers and require them to monitor and address post-market cybersecurity vulnerabilities. The bipartisan bill, sponsored by Sens. Tammy Baldwin, D-Wisc., and Bill Cassidy, R-La., were recently introduced to the Senate and there is the accompanying legislation in the House of Representatives.