FDA Spells Out When Medical Device Modifications Need ReviewAgency Clarifies When Manufacturers Need FDA Approval for Security Changes
Trying once again to clarify that security patches to medical devices usually don't need regulatory approval, the Food and Drug Administration has issued final guidance clarifying exactly when manufacturers must have the agency review device modifications.
The new guidance documents essentially reiterate a message that the FDA has been sending to manufacturers for several years: In most cases, changes made to medical devices - or to the software - to address the security of the products do not require FDA review via the "510(k) submission" process.
The FDA had issued preliminary versions of the guidance in August 2016.
"These new guidance documents do not change the FDA's review standard: A new 510(k) is required when a marketed device has changes, including changes to software, that could significantly affect the safety or effectiveness of the device or when there are major changes in the intended use of the device," says FDA Commissioner Scott Gottlieb, M.D.
The two new guidance documents, he explains "enhance predictability and consistency for innovators deciding when to submit new 510(k)s by better describing the regulatory framework, policies and practices underlying such a decision."
The documents - Deciding When to Submit a 510(k) for a Change to an Existing Device and Deciding When to Submit a 510(k) for a Software Change to an Existing Device - cover a range of other potential changes manufacturers might make to legacy medical devices besides those related to cybersecurity.
Regarding cybersecurity modifications to a device, the FDA guidance states: "In many cases, a change made solely to strengthen cybersecurity is not likely to require submission of a new 510(k). Cybersecurity updates are considered a subset of software changes that are implemented to strengthen the security of a system, protect information and reduce disruption in service."
The FDA expects manufacturers to ensure that such changes do not impact the safety or effectiveness of the device by performing necessary analysis, verification and/or validation. "If a manufacturer becomes aware of any incidental or unintended impacts of the change on other aspects of the software or device, the manufacturer should continue through the remaining questions in this guidance," the agency says.
Spotlighting Security Issues
The new FDA guidance will be helpful to manufacturers "because of the clarity it will add," says Bill Aerts, deputy director of the Archimedes Center for Medical Device Security at the University of Michigan.
"The FDA has been very clear that patches for security in medical devices do not require FDA approval. However, there still has been confusion among 'quality groups' in organizations because of the lack of specificity in how that determination is made, and the process for doing that. This guidance should help in clearing that up," he says.
While the guidance is directed primarily at vendors, the documents are potentially helpful to healthcare providers as well, Aerts says.
"One of the more confusing areas for healthcare entities is when they are made aware of a possible vulnerability, [it can be difficult to get] good information from the manufacturer about whether it affects their products specifically, and what they and/or the manufacturer should do to minimize the risk," he says. "That information hasn't always been readily available and communicated, but manufacturers are working with healthcare [entities] to develop and communicate this information."
The guidance provide flowcharts to help manufacturers determine whether modifications to existing medical devices or the devices' software necessitate an FDA review.
For instance, regarding a "proactive software security patch," the FDA provides this example:
"A device manufacturer finds a security vulnerability as part of an ongoing security evaluation of their device. The manufacturer modifies the software solely to remove this vulnerability. The manufacturer's analysis determined that the change does not have any other impact on the software or the device. Outcome: Document the change to file." (That means no 510(k) review required.)
"A manufacturer makes a software modification to add encryption to the configuration file of the device and add passcode requirements for remote users, in addition to the password needed to access the device. A timeout is also added for remote users. The manufacturer's analysis determined that the change does not have any other impact on the software or the device. Outcome: Document the change to file." (Again, that means no 510(k) review required.)
Ben Ransford, co-founder and CEO of cybersecurity firm Virta Laboratories, questions whether the FDA's guidance will immediately change manufacturers' behavior. "This document seems like a pretty incremental update to the existing guidance, which was already unambiguous," he says, referring to the earlier draft guidance.
"The industry is still in a learning phase. We shouldn't let any manufacturer off the hook with respect to security, but we should be realistic about the fact that most manufacturers are just beginning down this road," he says.
"If manufacturers are having trouble interpreting FDA's guidance with respect to security, it's because security requires adversarial thinking and a lively imagination; these are different kinds of concerns than those they've traditionally had to address. Security is still a relatively new concern for medical device manufacturers. As manufacturers gain experience building security into their products, they will get better at interpreting the guidance and the industry will hit its stride."
The new guidance points out that not all modifications to medical devices that impact cybersecurity can bypass a new review by the FDA. For example, modifications to devices that change a previously "wired" device to a "wireless" device could spur a review.
The FDA writes: "Changes to device communication between device components or between the modified device and other products, particularly from wired to wireless, may change a device's risk profile by introducing or modifying risks regarding data transmission or cybersecurity.
"Changes to employ wireless communication in devices where it was previously not used are likely to significantly affect safety or effectiveness and likely require submission of a new 510(k). This is particularly true when wireless communication is used to control device operations. When evaluating other changes, including a change to a different wireless communication protocol, [certain] factors should be taken into account in determining whether submission of a new 510(k) is required."
Medical device researcher Billy Rios of security firm Whitescope says that a number of manufacturers have been working on modifications to turn previously "wired" devices into "wireless" devices. So the FDA's guidance should help provide clarification to those vendors about whether those types of changes require the agency's review.
"I've seen this with infusion pumps - there's been a big push to make these products wireless," he says. "That requires modification to actual device hardware - you're literally adding additional hardware, so you've likely changed some of the functionality of the device," possibly requiring an FDA review, as well as potentially creating new cybersecurity risks, he notes.
Ransford says the FDA recommendations related to wireless modifications are "right on the money." That's because "adding wireless communication requires extra verification because it can change the attack surface of a device. A new wireless interface becomes another avenue for a potential adversary to explore," he says. "Any newly introduced wireless hardware components must also be evaluated and maintained along with the system as a whole, since wireless modules are typically complex subsystems with privileged access to the device they're inside."