Last month, the U.S. Food and Drug Administration (FDA) issued its Draft Guidance for the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.1 Recognizing the increasing need for effective cybersecurity, given the proliferation of wireless, Internet- and network-connected medical devices, as well as the increasing electronic exchange of medical device-derived health information, the draft guidance articulates FDA expectations on cybersecurity measures all manufacturers of software-containing medical devices should consider in preparing virtually any type of medical device premarket submission.2
In general, FDA urges manufactures to develop security controls that maintain the confidentiality, integrity (i.e., accuracy and completeness) and availability (i.e., ensuring the information is accessible when needed) of information that is contained or transmitted via medical device software.
The guidance also clarifies that the FDA expects manufacturers to take a proactive approach to cybersecurity by considering it during the design phase of medical devices. The draft guidance states that manufacturers should include a cybersecurity risk analysis and management plan as part of the risk analysis required by 21 CFR 820.30(g), which is part of the design control provisions of the device Quality System Regulations (QSR).
In the cybersecurity risk analysis and management plan expected by FDA, manufacturers should define and document the following key elements:
- Identification of assets, threats and vulnerabilities;
- Impact assessment of the threats and vulnerabilities on device functionality;
- Assessment of the likelihood of a threat and of a vulnerability being exploited;
- Determination of risk levels and suitable mitigation strategies; and
- Residual risk assessment and risk acceptance criteria.
FDA also provided a detailed list of cybersecurity-related information manufacturers should detail in submissions, including:
Hazard analysis, mitigation strategies, and design considerations pertaining to intentional and unintentional device cybersecurity risks, such as:
- A list of all cybersecurity risks considered in the design of the device; and
- A list of, and justification for, all cybersecurity controls established for the device.
- A traceability matrix that links the actual implemented cybersecurity controls to the cybersecurity risks that were considered;
- A systematic plan for providing validated updates and patches to operating systems or medical device software, as needed, so that up-to-date protection exists during the product life-cycle;
- Appropriate documentation to show that the device will be provided to purchasers and users free of malware; and
- Instructions for use and product specifications related to recommended anti-virus software and/or firewall use appropriate for the environment of use, even when anticipated that users may use their own virus protection software.
In addition, FDA recommends that medical device manufacturers justify in their premarket submission the security features chosen and also consider appropriate security control methods for medical devices, including: (1) limiting access to trusted users only; (2) ensuring trusted content; and (3) content use, fail-safe and recovery features.
The draft guidance also suggests that manufacturers should carefully consider the balance between cybersecurity safeguards and the usability of the device in its intended environment of use (e.g., home use versus healthcare facility use) to ensure that security capabilities are appropriate for the intended users. For example, security controls should not hinder access to the device during an emergency situation. Similarly, FDA recommends that device makers consider how security features may interfere with the ability of healthcare providers to administer the necessary care.
FDA, in issuing the draft guidance, is sending a message to industry that the agency is paying increasing attention to cybersecurity and that medical device makers need to carefully assess how to secure their devices against cyberattacks.
The agency currently has no separate regulation or statutory authority to require cybersecurity measures. However, by linking cybersecurity to the QSR's design control mandate, FDA may be laying the foundation for regarding as adulterated—and thus illegal—any medical device containing software that lacks adequate cybersecurity measures.