On October 18, 2018, the Food and Drug Administration (“FDA”) released a draft update to its guidance on the “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” In providing updated guidance, the FDA continues its extensive efforts1 to refine its approach to ensuring that marketed medical devices are protected against cybersecurity threats by identifying devices with cybersecurity risk and defining the issues manufacturers should address in the device design, labeling and other documentation that the FDA recommends for pre-market submissions.
Specifically, the FDA’s update expands the draft guidance by recommending the following:
- Tiered Classifciation of Cybersecurity Risk: A tiered approach to classifying medical devices by potential cybersecurity risk, which requires that all cybersecurity controls be implemented for connected devices capable of causing harm to multiple patients, but permits risk-based control exceptions for lower risk devices;
- Trustworthiness: A framework for designing “trustworthy” devices that incorporates specific design features and cybersecurity controls;
- Cybersecurity Bill of Materials: An expanded “cybersecurity bill of materials” that goes with a device listing device hardware or software components to assist users in the identification of potential future vulnerabilities; and
- Device Cybersecurity Labeling: Device labeling recommendations to assist end-users in maintaining the device’s safety and effectiveness with regards to cybersecurity.
Given the above recommendations, manufacturers of Internet-connected devices or other devices that present a cybersecurity risk (such as those that contain software, including firmware, or other programmable logic) should expect additional and more thorough FDA scrutiny regarding their device’s cybersecurity protections. Manufacturers should be aware that it is often burdensome and costly to incorporate cybersecurity into device design retroactively. Accordingly, manufacturers that are concerned their device may present a cybersecurity risk should consider conducting device risk assessments early and adopting cybersecurity risks throughout the product design lifecycle in order to meet the FDA’s recommendations for premarket submissions as discussed in the draft guidance.
Two Tiered Approach to Device Cybersecurity Risk Classification
The draft guidance adopts a risk-based approach to device cybersecurity that is in line with other widely-accepted industry standards for cybersecurity, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Specifically, the draft guidance introduces a framework for categorizing medical devices into two tiers for cybersecurity purposes each with different regulatory requirements.2
Tier 1 applies to “Higher Cybersecurity Risk” and is reserved for critically connected devices which, if tampered with, could directly result in harm to multiple patients. Examples of Tier 1 devices include, but are not limited to, implantable cardioverter defibrillators (ICDs), pacemakers, left ventricular assist devices (LVADs), brain stimulators and neurostimulators, dialysis devices, infusion and insulin pumps, and the supporting connected systems that interact with these devices such as home monitors and those with command and control functionality such as programmers.
The FDA defines Tier 2 “Standard Cybersecurity Risk” broadly to encompass medical devices that do not meet Tier 1 criteria.
Breach of PHI by itself is not considered patient harm under draft guidance. One interesting carve-out from the FDA’s consideration of patient harm is that, according to the guidance, the loss of confidential protected health information (PHI) is not considered “patient harm.” However, protecting such information may be required by federal and state law, such as the Health Information Portability and Accountability Act (HIPAA).
Categorizing devices into tiers may be difficult. While the examples provided by the FDA are illustrative in the sense of establishing what clearly qualifies as a Tier 1 device, a number of devices will be difficult to categorize. Without further clarification, medical device manufacturers may find the standard: “could directly result in patient harm to multiple patients” difficult to apply to their devices. This is important as different tiers will have different regulatory requirements.
Impact of two tiers. Under the draft guidance, the two tiers would have different design and documentation requirements. According to the draft guidance, certain security controls are recommended for Tier 1 devices and premarket submissions should include documentation on how the device design and risk assessment incorporate those controls. In contrast, Tier 2 devices do not necessarily need the security controls, but the FDA recommends that submissions should provide an explanation of a risk-based assessment of the potential vulnerabilities and their exploitability to justify why unimplemented controls are not appropriate for the device.
The draft guidance also adopts the concept of "trustworthy" devices.3 A trustworthy device is defined as a device that (1) is reasonably secure from cybersecurity intrusion and misuse; (2) provides a reasonable level of availability, reliability, and correct operation; (3) is reasonably suited to performing its intended functions; and (4) adheres to generally accepted security procedures.
Updated guidance consistent with NIST Cybersecurity Framework. Much of the guidance is devoted to how manufactures should seek to construct a trustworthy device. Manufacturers are well-advised to incorporate cybersecurity into product design early in the device lifecycle, at the presubmission phase, to avoid costly re-work to add such security controls later. The guidance appears to be consistent with the NIST Cybersecurity Framework standards: (1) Identify; (2) Protect; (3) Detect; (4) Respond; and (5) Recover.
Updated guidance tries to balance flexibility and specificity. The draft guidance remains ambiguous at times, even with the additional detail given by the FDA. For instance, the draft guidance instructs device manufacturers to “Maintain Confidentiality of Data” without explaining how this should be done. The guidance, like many cyber security frameworks, best practices, and legal requirements, is principles-based, because security controls frequently change and must permit organizations flexibility to implement various measures to mitigate the risk. Principles do not provide organizations with the comfort of knowing they are complying with such guidance (or legal requirements) with certainty.
Cybersecurity Bill of Materials
Under the draft guidance, manufacturers are expected to draft a cybersecurity bill of materials (CBOM) to be shared with customers to help them identify potential threats. The CBOM consists of a list of commercial and/or off-the-shelf software and hardware components incorporated into a device, so that if it turns out that such software or hardware is vulnerable, the device user can take self-help steps. In practice, however, commentators have predicted that this measure may take time to implement before it can meaningfully help customers.
Expanded Cybersecurity Labeling Recommendations
The draft guidance provides new recommendations for complying with the FDA's labeling regulations. It emphasizes communicating relevant security information to end users to help ensure a device remains safe and effective and that devices’ cyber security protections are maintained throughout the devices’ life cycle.
The FDA uses a legal foundation to support this aspect of the guidance, which suggests that the guidance may not be entirely optional. For example, 21 CFR 801.5 requires that device labeling include adequate directions for use, including statements of all conditions, purposes, or uses for which the device is intended (e.g., hazards, warnings, precautions, contraindications).4 The FDA states that “informing end-users of relevant security information may be an effective way to comply with labeling requirements.” The FDA recommends 14 specific recommendations of cyber security topics that should be included in labeling. Examples include a description of the device features that protect critical functionality even when the device’s cybersecurity “has been compromised,” backup and restore features, and the CBOM described earlier.
Expanded Cybersecurity Documentation
The draft guidance recommends that manufacturers include, as part of their premarket submission, documentation of the design features and risk management efforts and labeling to demonstrate a risk-based approach appropriate for the device. The draft guidance states that design documentation should track the requirements applicable to the tier of the device as wells as systems diagrams (detailing network architecture, communication pathways, authentication mechanisms etc.) to explain how the device interacts with other systems. Risk management documentation should contain an evaluation of risks and mitigation strategies that can help assure a secure device, according to the draft guidance.
The FDA’s 2018 pre-market guidance offers additional clarity given recent industry advancements and practices. The FDA “recognizes that medical device security is a shared responsibility among stakeholders, including health care facilities, patients, health care providers, and manufacturers of medical devices.” The draft guidance tries to balance the recurring challenge of drafting cyber security recommendations that are specific enough to be helpful, but yet flexible enough to apply to an industry filled with rapidly evolving devices and greater and more complicated cybersecurity risks.
The FDA will hold a meeting on January 29–30, 2019 to discuss the draft guidance. Comments on the guidance are due by March 18, 2019.