FDA Updates Guidance on “Cybersecurity in Medical Devices” and Seeks Industry Comments Hogan Lovells

Background

In June 2013, the FDA published the brief draft guidelines, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”, finalized in 2014. In 2018, the FDA offered substantial updates to the 2013-14 guidelines and published draft guidelines of the same name, which we have summarized online here. In the meantime, the final Postmarket Management of Cybersecurity in Medical Devices (“Postmarket Cybersecurity Guidance”) issued in 2016 supplemented the 2018 premarket guidelines and remains in effect.

The draft 2022 guidance analyzed here supersedes the draft 2018 version and adds significant discussion intended to further emphasize the importance of ensuring devices are designed securely, helping to mitigate emerging cybersecurity risks throughout of the total product life cycle (TPLC) of the device. In addition, throughout the document, the agency recalls that risk management work according to ISO 14971 can lead to a different and contrary conclusion to the cybersecurity risk assessment of vulnerabilities and although these two types of activities are intrinsically linked, they should be treated as separate. The updated draft guidance also aims to more clearly outline the FDA’s recommendations for the content of premarket submissions to address cybersecurity concerns. In announcing the draft guidance, the FDA noted that regular reviews and updates are particularly needed with respect to the topic of cybersecurity due to “the rapidly changing landscape and increased understanding of threats and their potential mitigations,” as well as a growing number of hacks targeting devices and healthcare providers. The FDA’s view in this regard is consistent with how regulators in other industries are increasingly pointing to the changing cyber threat landscape as requiring more agile approaches to both industry and regulatory oversight.

Secure product development framework to satisfy QSR

General principles set out in the draft guidance include a recognition that cybersecurity is part of device safety and the QSR, which require a medical device manufacturer to establish and maintain procedures to develop and validate device design. a device. These QSR expectations include software validation and risk analysis, which the FDA says are key elements of cybersecurity analyzes and demonstrate whether a connected device has a reasonable assurance of safety and effectiveness.

New in the 2022 draft guidelines, the FDA focuses on an SPDF’s ability to meet QSR requirements. The FDA describes an SPDF as “a set of processes that reduce the number and severity of product vulnerabilities throughout the device lifecycle.” The SPDF should understand a device manufacturer’s security-focused risk management efforts, as well as the development of a robust security architecture of each of its devices from various perspectives, including “all end-to-end connections entering and/or leaving the system”. and perform cybersecurity testing, such as security requirements definition, threat mitigation, vulnerability testing, and penetration testing in accordance with the draft guidelines. For example, the updated draft guidance includes a new subsection emphasizing FDA expectations regarding threat modeling as a key component of overall security risk management, building on on previous FDA statements that this is a point of attention in premarket review.

The guidelines make it clear that the FDA expects a device manufacturer’s safety risk management efforts to be documented and described in a premarket submission. The FDA says it will be better able to assess its safety and weigh potential hacking risks if this information is submitted to the agency during the premarket review process. Many elements of the updated draft guidance follow the kinds of questions the FDA was increasingly asking during premarket review, and so the guidance can help other companies better anticipate how the FDA will assess cybersecurity and create corresponding types of documentation to reduce or avoid delays in premarket review. .

Software nomenclature and transparency

The 2022 draft guidelines also include a new recommendation that manufacturers include a software bill of materials (SBOM) with all new products that gives users information about the different parts that make up a device. An SBOM includes both components developed by the device manufacturer and third-party components (including purchased/licensed software and open source software), as well as upstream software dependencies required/dependent on proprietary software, purchased/licensed and open source. . An SBOM encompasses all software components (licensed, developed, or remotely accessible) that are necessary for a device to function through all phases of its lifecycle, including development, release, support, and retirement. service.

This recommendation to include an SBOM replaces the suggestion to include a Cybersecurity Bill of Materials (CBOM), which was an arguably more onerous requirement, given that a CBOM must also consider the types of hardware that may become vulnerable to vulnerabilities. The creation of CBOM has been the subject of some controversy within the industry due to the burdens associated with creating such a document and the amount of disclosure that would be required.

Beyond the requirement for SBOM transparency, the guidelines emphasize transparency by asking manufacturers to provide technical information, such as manuals that healthcare providers can use to do their part to manage device security and act quickly to remediate devices when needed. The FDA also makes it clear that the SBOM should be maintained as part of an organization’s configuration management and be regularly updated, and suggests that it should be part of a design history file and a master design file. The FDA, in the guidance, identifies supporting SBOM information that must be submitted to the FDA in premarket submissions and also notes that it will accept SBOMs that meet industry standards.

As a major part of the FDA’s desire for transparency, the agency provides detailed recommendations for labeling and in particular when cybersecurity risk management is transferred to the user (consistent with the agency’s acknowledgment that effective cybersecurity management is a shared responsibility among stakeholders in the environment of use of medical equipment). medical device systems, including healthcare facilities, patients, healthcare providers and medical device manufacturers). Consistent with its broader view of the TPLC, the FDA recommends manufacturers establish a plan for how they will identify and communicate vulnerabilities, refers to the Postmarket Cybersecurity Guidance, and also recommends companies plan for the possibility that third-party software built into the device can achieve obsolescence by suggesting that companies might want to include provisions in license agreements upfront to secure rights to software code should this occur.

Risk levels

Although the 2022 draft guidance is significantly longer than its 2018 predecessor, the FDA has removed the requirement that sponsors categorize their medical device into cybersecurity risk levels (although we note that security level scans software concern are still required under separate FDA guidelines). Instead of this discussion, the FDA added in the draft 2022 guidelines a substantial explanation of how this documentation should look like a premarket submission.

Summary

This guidance goes much more in-depth on how to address cybersecurity in the design and development of software products than before and combines the resulting design control documentation with that which the FDA recommends to be submitted in software product submissions. pre-marketing. Additionally, it more explicitly identifies and describes the types of scans and records the agency expects to create to specifically address cybersecurity, which does not replace normal design control risk management processes. of a business, but should rather be seen as complementing it. In the FDA’s view, this level of detail should help companies better align their design control process with its processes for assessing software safety risks and generating records that will meet the expectations of the FDA. FDA in cybersecurity management and may also be submitted in a premarket submission. The length and amount of detail provided in the guidance is helpful, but can also cause problems for some companies; especially those who are quite advanced in the development of their product. As the FDA has been very clear over the past few years, cybersecurity needs to be built in, not bolted on, but some companies may have no choice but to do more of both to meet new FDA guidelines with devices already in preparation.

Next steps

In March, U.S. Representative Michael Burgess (R-TX) introduced the Protecting and Transforming Cyber ​​Health Care Act of 2022 (PATCH Act, HR 7084) to Congress, which aims to strengthen the security of medical devices by requiring manufacturers to have a plan to monitor and address post-market cyber exploits, among other measures. Later in March, American senses Bill Cassidy (R-LA) and Tammy Baldwin (D-WI) introduced the same legislation in the Senate. We will continue to monitor these proposed measures and keep you informed of any changes.

The FDA invites comments on the draft guidance through July 7, 2022. If you have questions about the draft guidance, cybersecurity issues more generally, or would like to submit a comment, please contact one of the authors of this alert or the Hogan Lovells attorney you typically work with.

Comments are closed.