FDA Calls for 'Cybersecurity Bill of Materials' for DevicesFood and Drug Administration Releases Draft of Updated Pre-Market Guidance for Medical Devices
Before marketing their medical devices, manufacturers should prepare a "cybersecurity bill of materials" that lists components that could be susceptible to vulnerabilities, according to a draft of updated Food and Drug Administration premarket guidance.
In addition to releasing the proposed guidance this week, the FDA announced a formalized agreement with the Department of Homeland Security to implement a new framework for greater collaboration between the two agencies for addressing cybersecurity in medical devices.
"From my vantage point, it looks like everyone in the medical device security community is happy to see stronger premarket recommendations and a more formal relationship between the FDA and DHS," says Ben Ransford, CEO and co-founder of healthcare cybersecurity firm Virta Labs. "Clear delegations of responsibility make incident response easier."
The FDA's draft premarket guidance is a significant refresh of FDA's 2014 guidance, the agency notes.
FDA in December 2016 released final post-market guidance for how medical device manufacturers should help maintain the cybersecurity of network-connected devices once they are in use.
"Because of the rapidly evolving nature of cyber threats, we're updating our [premarket] guidance to make sure it reflects the current threat landscape so that manufacturers can be in the best position to proactively address cybersecurity concerns when they are designing and developing their devices," says FDA Commissioner Scott Gottlieb, M.D.
"This is part of the total product lifecycle approach to device safety, in which manufacturers must adequately address device cybersecurity from the design phase through the device's time on the market to help ensure patients are protected from cybersecurity threats."
The draft guidance provides updated recommendations on cybersecurity considerations for device design, labeling and documentation that should be included in premarket submissions for agency approval of medical devices that have cybersecurity risk, FDA notes.
The agency will conduct a public workshop for industry stakeholders on Jan. 29-30, 2019, to discuss the newly released draft guidance before it's finalized.
Two Tiers of Risk
In the guidance, the FDA proposes defining two tiers of devices based on their cybersecurity risk.
Tier 1, or "higher cybersecurity risk" products include devices capable of connecting - wired or wirelessly - to another medical or non-medical product, or to a network or the Internet. In addition, a cybersecurity incident affecting these devices could directly result in patient harm to multiple patients, FDA says.
Some examples of Tier 1 devices are implantable cardiac devices, such as defibrillators and pacemakers; infusion and insulin pumps; and the supporting connected systems that interact with these devices, such as home monitors and those with command and control functionality such as programmers.
Tier 2, or "standard cybersecurity risk" medical devices are those that don't meet the criteria for tier 1.
Bill of Materials
The proposed bill of materials to be submitted before devices are marketed would be "a list of commercial, open source and off-the-shelf software and hardware components to enable device users - including patients, providers and healthcare delivery organizations - to effectively manage their assets, to understand the potential impact of identified vulnerabilities to the device - and the connected system - and to deploy countermeasures to maintain the device's essential performance," the guidance notes.
"There is always a tension for companies about providing a sufficient level of transparency that would allow customers, users who interact with the devices to have sufficient information to make decisions around security operations," says regulatory attorney Yarmela Pavlovic of the law firm Hogan Lovells.
"There's always tension between providing sufficient information to allow ... shareholders to engage in effective security practices while not providing too much transparency such that it compromises proprietary information."
—Yarmela Pavlovic, Hogan Lovells
"FDA has realized that cybersecurity is a challenge that can only be effectively addressed by a wide range of shareholders - not just medical device manufacturers, but also healthcare delivery organizations, potential patients. So, there's always tension between providing sufficient information to allow those other shareholders to engage in effective security practices while not providing too much transparency such that it compromises proprietary information."
Some security experts note that the devil is in the details in terms of whether companies actually will prepare thorough component lists.
"The concept of a software bill of materials is hard to argue with in principle, but the committees that have been formed to figure out the details, some of which include me, still have quite a bit of work to do," Ransford says. "It will be several years before end users of medical devices will be able to derive meaningful value from a software bill of materials on a daily basis."
The draft guidance also "provides a much clearer roadmap for applying the National Institute of Security and Technology framework, and specifically areas that are relevant to medical devices," notes Mac McMillan, CEO of security consultancy CynergisTek.
Meanwhile, in an Oct. 16 statement, the FDA notes that its new agreement with DHS formalizes a longstanding relationship between the agencies around medical device cybersecurity, most notably coordination of vulnerability disclosures.
The goal of the new agreement is "to expand these types of collaboration by increasing the sharing of information between the two agencies to enhance mutual awareness of potential or known threats, thereby heightening coordination when vulnerabilities are identified," FDA says.
Under the agreement, DHS will continue to serve as the central medical device vulnerability coordination center and interface with appropriate stakeholders, including consulting with FDA for technical and clinical expertise regarding medical devices, FDA says.
The DHS' National Cybersecurity and Communications Integration Center will continue to coordinate and enable information sharing between medical device manufacturers, researchers and FDA, particularly in the event of cybersecurity vulnerabilities in medical devices that are identified to DHS.
FDA will continue to engage in regular, ad hoc and emergency coordination calls with DHS and advise DHS regarding the risk to patient health and potential for harm posed by identified cybersecurity threats and vulnerabilities, the statement notes.
"Collaboration between these two organizations is the right partnership for addressing the problem holistically with the right people focused on the right things with the right expertise," McMillan says. "DHS is far better positioned to address the threat to these devices than FDA, but FDA controls what goes into the guidance and certification criteria for these devices. So together, they should be able to build a better device for the consumer."
Series of Security Steps
The draft guidance and alliance with DHS are the latest in a series steps by FDA to address medical device cybersecurity concerns.
In recent weeks, FDA had also announced other a number of other key moves - including the release of a new security playbook and plans to leverage information sharing and analysis organizations.
Also, in its fiscal 2019 budget request, FDA is seeking funding for a new digital health "center of excellence" that would include a cybersecurity unit (see FDA's New Digital Health Cyber Unit: What Would it Do?).