Third time’s a charm: US FDA reissues cybersecurity draft guidance

Regulatory NewsRegulatory News | 07 April 2022 |  By 

After significant stakeholder feedback, the US Food and Drug Administration decided instead of finalizing a 2018 premarket cybersecurity draft guidance, it would reissue a whole new draft guidance with significant changes. One of those changes includes asking manufacturers to provide a software bill of materials (SBOM) instead of a cybersecurity bill of materials (CBOM) which was a major sticking point for the medtech industry.
The FDA published the draft guidance titled, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” on 7 April. This follows a final premarket cybersecurity guidance the agency published in 2014 and then updated in a draft guidance in 2018 (Related: Cybersecurity: FDA Spells Out Updated Premarket Policies, Regulatory Focus, 17 October, 2018).
After the 2018 draft guidance was published the FDA received significant feedback from stakeholders through comments and at a public workshop that led regulators to decide that rather than making changes and finalizing the draft guidance, it was better to develop a new guidance altogether.
Suzanne Schwartz, director of the Office of Strategic Partnerships and Technology Innovation at the Center for Devices and Radiological Health (CDRH), notes that the first guidance was only 9 pages long whereas the latest guidance is almost 50 pages which speaks to how far the guidance has evolved.
“The very first guidance in 2013/14 was foundational. It was putting a stake in the ground with respect to the core principles that FDA wanted to articulate to industry around what our expectation were for building cybersecurity into the design of new devices,” she told Regulatory Focus. “We were really starting from a very rudimentary place in articulating those basic principles and recognizing even at that time that this was going to be an area with a fair amount of iteration and evolution, and that we would be revisiting it at some point in the future.”
Schwartz noted the subsequent draft guidances provide far more granularity in terms of what the FDA has learned about cybersecurity best practices in the premarket and postmarket space, and what it wants to see in product development.
“This new premarket guidance really raises the bar in it's a technical detail, in the expectations that we have of manufacturers, so that we're not dealing with devices that are characterized by the same legacy challenges that we have today,” said Schwartz.
The first guidance was comparatively far simpler and focused on a framework for the FDA, industry, healthcare providers and other stakeholders to work together to develop new products that take into account cybersecurity. By comparison, the 2018 draft guidance provided a lot more detail as to what the agency wants to see in product applications and emphasized the need for sponsors to take a total product lifecycle (TPLC) approach in terms of cybersecurity.
The latest iteration however adds to that by asking sponsors to think about cybersecurity in the context of the agency’s quality system regulation (QSR) and consider using a secure product development framework (SPDF) to achieve that goal.
“An SPDF encompasses all aspects of a product’s lifecycle, including development, release, support, and decommission,” the draft guidance states. “Additionally, using SPDF processes during device design may prevent the need to re-engineer the device when connectivity-based features are added after marketing and distribution, or when vulnerabilities resulting in uncontrolled risks are discovered.”
A key difference between the 2018 draft guidance and the new one is the FDA has decided to only ask sponsors to provide a software bill of materials (SBOM) instead of a cybersecurity bill of materials (CBOM). While SBOMs focus on the types of software built into a device, CBOM’s also have to take into consideration the types of hardware which industry has argued would be considerably more burdensome to list.
“Most of the vulnerabilities we're going to encounter anyway are going to be software related and we wanted to avoid perfect being the enemy of good here,” said Schwartz. “When we're looking for a way to make an impactful change, we'll get there with a software bill of materials and forgoing at this time the hardware piece.”
Another big change from the previous draft guidance is the FDA has taken out the requirement that sponsors categorize their product into risk tiers. According to Schwartz industry argued that as long as certain parameters are met risk tiers were not necessary.
“We did not draw a distinction in terms of what needs to be provided as requested cybersecurity information in the premarket process as a result,” she noted. “We did put a lot more detail in as far as what that documentation needs to look like in a premarket submission and that's inserted all the way as you walk your way through the guidance.”
Shwartz also notes another key component of the new draft guidance is it aligns with President Joe Biden’s May 2021 executive order to enhance the US’ cybersecurity posture. The order especially focuses on protecting the US’ infrastructures and industrial control systems from nation-state actors.
“That executive order made a very important point around the use of SBOMs and actually requires SBOMs for those devices that are procured by the government and we felt it was very important for us to be in alignment with that executive order as well,” said Schwartz.
Beyond requiring SBOMs for transparency, the guidance also puts a lot of emphasis on providing transparency by asking manufacturers to provide technical information such as manuals that healthcare providers can use to act quickly to patch devices.
“A lack of cybersecurity information, such as information necessary to integrate the device into the use environment, as well as information needed by users to maintain the device’s cybersecurity over the device lifecycle, has the potential to affect the safety and effectiveness of a device,” the guidance states. “In order to address these concerns, it is important for device users to have access to information pertaining to the device’s cybersecurity controls, potential risks, and other relevant information.”
More specifically the guidance notes sponsors inability to provide information on whether the device has any undisclosed cybersecurity vulnerabilities or risks could degrade its effectiveness. It also notes user manuals that do not include sufficient information to explain how to securely configure or update the device may limit the ability of end users to protect it.
“What's been very clear to us is the importance of good communication and transparency for purposes of giving healthcare organizations the tools and the means by which they are able to also address cybersecurity concerns as they arise in the maintenance of devices on their networks and systems,” said Schwartz. “We do want to make sure that health care organizations have what they need to properly arm and protect their networks, and ultimately to protect devices and patients.”
The topic of medical device cybersecurity is also being addressed in the user fee reauthorization bill going through Congress. The FDA recently asked lawmakers to give it more authority to require cybersecurity considerations be built into medical devices in its budget request to Congress. On that topic, Rep. Michael Burgess (R-TX) proposed to exactly that in a rider to the Medical Device User Fee Amendment (MDUFA V) reauthorization bill. (Related: FDA’s legislative wish list includes device cybersecurity, a generic exclusivity fix, and more, Regulatory Focus, 4 April, 2022)
The new draft guidance is open for comment for 90 days after which the FDA will review the comments and decide to make any changes before publishing a final guidance though Schwartz says the final guidance likely won’t be coming out this year.
“There are a lot of things totally outside of our control in terms of clearing (the guidance),” said Schwartz. “Aside from the agency's clearing, there are other levels of clearing that guidances need to undertake and we have no way of being able to have control over that.”
She did however say the FDA is hoping to disseminate the guidance as far as possible including through public venues and said people should stay tuned as to what that will look like.
Stakeholders can comment on the new draft guidance on under docket no. FDA-2021-D-1158 until 7 July 2022. 


© 2022 Regulatory Affairs Professionals Society.

Discover more of what matters to you