Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
Medical
News
Regulation, Standards and Compliance
Risk & Compliance
Threat Landscape
Vulnerabilities

FDA releases draft medical devices cybersecurity guidance, calls for feedback

April 11, 2022
FDA releases draft medical devices cybersecurity guidance, calls for feedback

The U.S. Department of Health & Human Services (HHS) Food and Drug Administration (FDA) agency has announced the availability of draft guidance that provides recommendations to the healthcare industry regarding cybersecurity device design, labeling, and the documentation that the agency recommends to be included in premarket submissions for devices with cybersecurity risks. These recommendations can facilitate an efficient premarket review process and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats.

The draft guidance, titled ‘Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,’ is intended to further emphasize the importance of ensuring that medical devices are designed securely. It also seeks to ensure that medical devices are designed to be capable of mitigating emerging cybersecurity risks throughout the Total Product Life Cycle (TPLC), and outlines the FDA’s recommendations for premarket submission content to address cybersecurity concerns. 

The FDA has also published a notice on Friday in the Federal Register calling for submissions of either electronic or written comments on the draft guidance by Jul. 7, to ensure that the agency considers all comments on the draft guidance before it begins work on the final version of the guidance. The draft guidance is not final nor is it for implementation at this time.

The agency recognizes that medical device security is a shared responsibility among stakeholders throughout the use environment of the medical device system, including healthcare facilities, patients, healthcare providers, and manufacturers of medical devices. It states that for the purposes of the draft guidance, the term ‘medical device system’ will include the device and systems, such as healthcare facility networks, other devices, and software update servers to which it is connected. 

The FDA issued final cybersecurity guidance addressing premarket expectations in 2014 titled ‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,’ and the complementary guidance ‘Postmarket Management of Cybersecurity in Medical Devices’ in 2016. Subsequently, in 2018, the agency proposed updates to the final guidance, ‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,’ and issued draft guidance of the same name. Although the FDA issued final guidance addressing premarket expectations in 2014 and draft guidance in 2018, the rapidly evolving landscape, and the increased understanding of the threats and their potential mitigations, necessitates an updated approach. The current FDA draft guidance is set to replace the 2018 draft guidance. 

The draft guidance takes into account the increasing integration of wireless, internet- and network-connected capabilities, portable media such as USB drives or CDs, and the frequent electronic exchange of medical device-related health information have pushed the need for robust cybersecurity controls to ensure medical device safety and effectiveness. 

“In addition, cybersecurity threats to the healthcare sector have become more frequent and more severe, carrying increased potential for clinical impact,” according to the FDA guidance. “Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the U.S. and globally. Such cyber attacks and exploits may lead to patient harm as a result of clinical hazards, such as delay in diagnosis and/or treatment,” it added. 

Increased connectivity has resulted in individual devices operating as single elements of larger medical device systems, the draft guidance said. These systems can include health care facility networks, other devices, and software update servers, among other interconnected components. “Consequently, without adequate cybersecurity considerations across all aspects of these systems, a cybersecurity threat can compromise the safety and/or effectiveness of a device by compromising the functionality of any asset in the system. As a result, ensuring device safety and effectiveness includes adequate device cybersecurity, as well as its security as part of the larger system,” it added. 

The draft guidance also identifies that software validation and risk analyses are key elements of cybersecurity analyses and demonstrates whether a connected device has a reasonable assurance of safety and effectiveness. “FDA requires manufacturers to implement development processes that account for and address cybersecurity risks as part of design controls. For example, these processes should address the identification of security risks, the design requirements for how the risks will be controlled, and the evidence that the controls function as designed and are effective in their environment of use for ensuring adequate security,” it added. 

The increasingly interconnected nature of medical devices has highlighted the importance of addressing cybersecurity risks associated with device connectivity in device design because of the effects on safety and effectiveness, the FDA said. Cybersecurity risks that are introduced by threats directly to the medical device or to the larger medical device system can be reasonably controlled by using an SPDF (Secure Product Development Framework), which is a set of processes that help reduce the number and severity of vulnerabilities in products. Risks that are introduced by threats directly to the medical device or to the larger medical device system can be reasonably controlled by using an SPDF, it added.

The primary goal of using the SPDF is to manufacture and maintain safe and effective devices, the FDA draft guidance revealed. From a security context, these are also trustworthy and resilient devices. These devices can then be managed, such as installed, configured, updated, and reviewed device logs, through the device design and associated labeling by the device manufacturers and/or users like patients and healthcare facilities, according to the draft guidance. 

“For healthcare facilities, these devices may also be managed within their own cybersecurity risk management frameworks, such as the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity, generally referred to as the NIST Cybersecurity Framework or NIST CSF,” it added.

Recognizing that cybersecurity risks evolve as technology evolves throughout a device’s TPLC, the FDA draft guidance recommends that manufacturers establish a plan for how they will identify and communicate vulnerabilities that are identified after releasing the device to users. “This plan can also support risk management processes in accordance with CFR 820.30(g) and corrective and preventive action processes in accordance with 21 CFR 820.100. FDA recommends that manufacturers submit their vulnerability communication plans as part of their premarket submissions so that FDA can assess whether the manufacturer has sufficiently addressed how to maintain the safety and effectiveness of the device after marketing authorization is achieved,” it added.

In addition to reinforcing the regulatory framework, there have also been legislative bills that work towards improving cybersecurity in the healthcare sector. The Senate Homeland Security and Governmental Affairs Committee recently cleared an amended version of the Healthcare Cybersecurity Act of 2022 that would require the HHS and the Cybersecurity and Infrastructure Security Agency (CISA) to enter into a collaborative agreement around improving cybersecurity in the healthcare and public health sectors.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base