Industry Calls to Eliminate Tiers in FDA’s Premarket Cybersecurity Guidance
Posted 18 March 2019 | By
GE Healthcare, the Medical Imaging and Technology Alliance (MITA), Becton, Dickinson and Company (BD) and industry group AdvaMed are all seeking tweaks to draft guidance on managing cybersecurity in medical device premarket submissions.
The draft, released in October 2018
, created a two-tiered approach to determining cyber risk, with higher risk devices falling into Tier 1 while other devices would be of “Standard Cybersecurity Risk” or Tier 2.
But in comments on the draft released this week, nearly all the companies and industry groups sought to scuttle or amend this tiered approach.
AdvaMed, for instance, called for eliminating the tiered approach and said it finds “this proposed two-tier framework confusing and unnecessary given its superficial similarity to FDA’s risk classification scheme for medical devices. Moreover, there are significant differences between device types that could fit within the proposed tiers…We believe FDA should remove the two-tiered approach in favor of a single risk-based approach that addresses the Agency’s cybersecurity expectations based on the exploitability of a device vulnerability and the severity of patient harm (if exploited), as outlined in the Agency’s postmarket cybersecurity guidance.”
GE Healthcare similarly found the two tiers “somewhat confusing and vague,” but suggested explicit criteria for an additional Tier 3 for “Low Cybersecurity Risk.” Such a third tier could “avoid the inclusion of non-electronic medical devices such as tongue depressors into Tier 2. We do not believe there is value in stating that a tongue depressor or blood pressure cuff has ‘Standard Cybersecurity Risk’ in a premarket submission.”
BD, meanwhile, called for the creation of a tier-less system to “promote implementation of equal security measures for all types of devices. It would also eliminate potential discrepancies and disagreements that can arise from classifications.” And if FDA decides to retain the current tiers, BD recommends “Tier 1 devices should also include a risk-based rationale. Risk-based rationale for Tier 1 devices should describe intended use scenarios, technological limitations, or risk-benefit trade-offs that preclude the implementation of specific control(s).”
And MITA sought more clarity overall, calling the tiered system unclear. “How will the FDA distinguish between a medical device for which a cybersecurity incident could directly result in patient harm to multiple patients, and one that does not? What does the phrase ‘harm to multiple patients’ mean in practice?”