Responding to the growing threat of cybersecurity breaches in medical devices, the Food and Drug Administration (FDA) in draft guidance is updating recommendations on device design, labeling, and documentation to better manage risk during the premarket submission process.
“Cybersecurity threats and vulnerabilities in today’s modern medical devices are evolving to become more apparent and more sophisticated, posing new potential risks to patients and clinical operations,” said FDA Commissioner Scott Gottlieb, MD, in a statement. The new proposed recommendations are “part of the total product life cycle approach to device safety, in which manufacturers must adequately address device cybersecurity from the design phase through the device’s time on the market to help ensure patients are protected from cybersecurity threats,” he said.
The draft offers significant updates to cybersecurity premarket guidelines FDA issued in 2014. “So far, the guidelines have been very effective in helping medical device manufacturers navigate the cybersecurity landscape in stages involving medical device conception to design and development to FDA approval,” Sagar Patel, a cybersecurity software engineer at Battelle Memorial Institute, a nonprofit science and technology development company in Columbus, Ohio, told CLN Stat.
The updated version aligns closer with the National Institute of Standards and Technology cybersecurity framework for responding to security threats, Patel observed. It also seeks to ensure that medical device manufacturers align with other security sensitive industries such as industrial control systems, he added.
FDA is recommending that manufacturers provide a “cybersecurity bill of materials” that outlines a device’s commercial and/or off-the-shelf software and hardware components that might be vulnerable to attack. Manufacturers under this proposal will have to embed security into devices from the design stage, which may add cost and resource overhead. “But at the end of the day, that will be a justified increase,” Patel said.
The guidance also divides devices into two cybersecurity risk tiers, placing implanted devices such pacemakers or neurostimulation tools into the higher risk category and those containing software into the standard risk category. “One obvious advantage of this approach being that the simple, less security-sensitive devices will not have to maintain the same rigorous cybersecurity requirements expected from say, a life-sustaining device like a pacemaker,” Patel said.
The agency plans to hold a public workshop January 29–30, 2019, to encourage stakeholder discussion and feedback on the draft document.
The draft update to the premarket guidance is one of several measures FDA has taken to update and refine cybersecurity preparedness in the medical device industry. “The FDA has been working to stay a step ahead of these changing cybersecurity vulnerabilities, including engaging with external stakeholders. In this way, we can help ensure the healthcare sector is well-positioned to proactively respond when cyber vulnerabilities are identified in products that we regulate,” Gottlieb said. In 2016, the agency issued guidance on managing cybersecurity at the postmarket stage of distributing medical devices.
In more recent efforts, the FDA teamed up with the MITRE Corp. on a cybersecurity playbook, a supplement to current recommendations on medical device cybersecurity preparedness. The playbook outlines the steps hospitals and other healthcare entities could take to develop a cybersecurity preparedness and response plan. In another collaboration, FDA and various stakeholder groups entered into an agreement to create information sharing analysis organizations that will gather, analyze, and distribute data about cybersecurity threats.
The agency’s fiscal 2019 budget proposal also supports the development of a new digital health center that would include a cybersecurity unit for medical devices.
FDA isn’t the only entity calling for stepped up controls in the medical device industry. Earlier this year, CLN Stat reported on the steps urged by healthcare consultants to establish a “culture shift” on medical device security. Cybersecurity of medical devices and patient data is one of the six biggest adverse events to patient safety, according to global research and consulting firm Frost & Sullivan.