Seeking CISO feedback, FDA shares draft medical device cybersecurity guide
The Food and Drug Administration Center for Devices and Radiological Health issued draft cybersecurity guidance for medical devices, which includes recommendations for designing devices with cybersecurity in mind and FDA guidance for premarket submissions for devices with risks.
The guidance is designed to facilitate “an efficient premarket review process,” while ensuring medical devices marketed to healthcare are “sufficiently resilient to cybersecurity threats.” The FDA is seeking feedback from healthcare leaders to further develop the supportive insights.
The FDA first issued premarket guidance in 2014, later updating it in 2018 to meet the continuously evolving landscape. Industry leaders have been awaiting an update in the last few years.
The latest guidance builds on its initial efforts, incorporating input from healthcare leaders from public meetings, previous comment periods, and recommendations from the Health Care Industry Cybersecurity Task Force Report to identify cybersecurity issues device manufacturers should address in the development and design process, as well as premarket submissions.
The FDA developed the insights in response to the rapid evolution and scope of connected digital medical and Internet of Things (IoT) devices, especially with the increased electronic exchange of health information through medical devices.
As the threats to healthcare become more frequent, severe, and clinically impactful, the FDA warns that “cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the US and globally.”
For example, some individual devices act as “single elements of larger medical device systems,” which can include facility networks, other devices, software update servers, and other interconnected components.
“Consequently, without adequate cybersecurity considerations across all aspects of these systems, a cybersecurity threat can compromise the safety and/or effectiveness of a device by compromising the functionality of any asset in the system,” the FDA explained.
“As a result, ensuring device safety and effectiveness includes adequate device cybersecurity, as well as its security as part of the larger system,” it added. With patient safety risks in mind, the FDA guidance seeks to address a number of longstanding challenges posed by increased connectivity.
Voluntary FDA guide provides recommendations for healthcare cyber pros
The guide is meant as voluntary, though it does provide clarity into existing requirements of the law, as well as regulatory and statutory mandates. It also covers all devices that contain software, firmware, programmable logic, and software as a medical device (SaMD).
Manufacturers can leverage the document to find cybersecurity recommendations for FDA device submissions. The guide also covers needed deployment mitigations to protect the device throughout its lifestyle, a longstanding challenge for the sector given its heavy reliance on legacy and/or older devices.
Healthcare security leaders will find recommendations and support for a host of device challenges, including security risk management, cybersecurity transparency (such as label at-risk devices), vulnerability management plans, security control implementations, and views into patching and updates.
The guide comes on the heels of a pair of congressional bills that would establish a number of cybersecurity requirements for device manufacturers, including the development of Software Bill of Materials (SBOMs) to be shared with healthcare users. Upon its release, stakeholders noted the bills address newer devices and fail to address systemic medical device risks and issues.
The FDA insights tackle a host of minute challenges to securing the complex medical device infrastructure. Industry leaders are encouraged to provide feedback to the insights, which will prove crucial to ensure the resource can effectively support the most pressing risks and challenges.
“FDA recognizes that medical device security is a shared responsibility among stakeholders” in the medical device system environment, including provider organizations, patients, and device manufacturers.
In that spirit, the agency also urged device manufacturers to use the new FDA insights in tandem with the previously released medical device security guide from the HSCC.