Cybersecurity: FDA Spells Out Updated Premarket Policies

With its first guidance in the device space in FY 2019, the US Food and Drug Administration (FDA) unveiled an awaited draft guidance on Wednesday to clarify the agency’s cybersecurity expectations from a premarket perspective.

The draft guidance is an update to 2014 premarket policies on cybersecurity and came as the ink was still wet on the memorandum of agreement (MOA) between FDA and the US Department of Homeland Security (DHS) for strengthening a coordinated approach in responding to cyber threats and vulnerabilities.

The FDA-DHS agreement merely “formalizes a long-standing relationship” between the two agencies, FDA said late Tuesday. It identifies two sets of responsibilities on DHS and FDA and mutually-agreed upon principles on information-sharing for which a standard operating procedure must be developed within 90 days of the MOA.

The draft guidance, however, will supersede policies set forth in 2014 once finalized. It introduces a two-pronged approach to determining cyber risk in medical devices and provide several new definitions of key terms.

A device would fall under Tier 1 “Higher Cybersecurity Risk” if it is “capable of connecting (e.g. wirelessly) to another medical or non-medical product or to a network, or to the internet” and a cybersecurity incident “could directly result in patient harm to multiple patients.” Examples include implantable cardiac defibrillators and pacemakers. All other devices would fall under Tier 2 “Standard Cybersecurity Risk.” The tiers are for “this cybersecurity guidance only,” FDA clarified.

The need for updating the 2014 guidance was discussed in March by lead of cybersecurity initiatives at FDA’s Center for Devices and Radiological Health (CDRH) Suzanne Schwartz, who highlighted certain key themes during RAPS’ 2018 Convergence earlier this month.

“Because of the rapidly evolving nature of cyber threats, we’re updating our guidance to make sure it reflects the current threat landscape so that manufacturers can be in the best position to proactively address cybersecurity concerns when they are designing and developing their devices,” FDA Commissioner Scott Gottlieb said  on Wednesday. He noted that the premarket cybersecurity updates are also intended to reflect the agency’s push to extend regulatory considerations across the total product lifecycle.

3 Main Areas

The recommendations cover three main areas in the premarket space—device design, device labeling and submission documentation to aid agency review staff in conducting premarket reviews. In contrast with the focus on content in the existing premarket policies, these apply greater emphasis on controls in designing and developing devices prior to reaching the market.

An overarching theme in the areas of device design and premarket documentation relates to the new “trustworthy device” definition. “For devices with cybersecurity risks, we recommend manufacturers design devices that are trustworthy because trustworthy devices may be more likely to meet their applicable statutory standard for premarket review and because trustworthy devices are more likely to remain safe and effective throughout their life-cycle,” the agency said.

A four-fold definition of a trustworthy device in the context of assessing cybersecurity is detailed throughout the 24-page draft guidance. These devices “are reasonably secure from cybersecurity intrusion and misuse; provide a reasonable level of availability, reliability, and correct operation; are reasonably suited to performing their intended functions; and adhere to generally accepted security procedures,” according to the draft guidance.

Another new theme set forth in the draft guidance involves a term FDA dubbed “cybersecurity bill of materials” (CBOM) to identify off-the-shelf software and hardware components susceptible to cyber vulnerabilities. This term is derived from the term “software bill of materials,” which is a list of components in a product that can provide insights into devices already on the market.

A CBOM “can be a critical element in identifying assets, threats and liabilities” FDA said. It “may also support compliance with purchasing controls, by facilitating the establishment of requirements regarding cybersecurity for all purchased or otherwise received products.”

Design recommendations are in accordance with the 2018 version of the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity. These are focused on protecting assets and functionality and anticipating a “need for deployment of cybersecurity routine updates and patches as well as emergency workarounds.” Patchability and updatability are at least some of the new design terms covered in the draft guidance.

A total of 14 device labeling recommendations are listed in the document as well. These aim to aid a manufacturer in ensuring safety and effectiveness throughout a device’s lifecycle by providing relevant security information to end-users, including instructions for how to respond to a detected cyber vulnerability or cybersecurity incident such as a network outage.

Throughout the development of a device design and labeling, firms should keep in mind the types of documentation that should be submitted as part of premarket submissions to CDRH or the Center for Biologics Evaluation and Research. These cybersecurity recommendations are separated into developing the design of devices in both tiers, system diagrams and a summary of features that allow for updates and patches as needed, as well as risk management documentation.

The draft guidance is to be used as a supplement to the recommendations in two final guidance documents issued in 2005. These include guidance on the content of premarket submissions for software in medical devices and the guidance on cybersecurity for networked devices containing off-the-shelf software, though CDRH's new FY 2019 guidance development list indicates that the former will be reissued in the form of draft guidance. 

Content of Premarket Submissions for Management of Cybersecurity in Medical Devices