The integration of wireless, Internet, and network-connected capabilities in medical devices, coupled with the frequent exchange of health information, necessitates robust cybersecurity controls. A cybersecurity threat can compromise the safety and/or effectiveness of a device by compromising the functionality of any asset in the system if there is an absence of adequate cybersecurity control. Regulatory agencies across the global recognize that cybersecurity in medical devices is a shared responsibility between stakeholders.
The US FDA has been proactive in ensuring medical device cybersecurity. It released a guidance document in 2014 for Premarket Submissions for Management of Cybersecurity in Medical Devices followed by the Postmarket Management of Cybersecurity in Medical Devices guidance document in 2016. However, as the medical device landscape is constantly evolving, so do the regulations in order to protect users and patients from increased threats. Indeed, there is a need to establish updates to regulations to mitigate threats associated with devices.
Medical Device Cybersecurity: mitigating threats and maximizing patient safety
The healthcare sector is experiencing a rise in both the frequency and severity of cybersecurity threats, posing a greater risk of clinical and patient-safety consequences. In response to this escalating challenge, the U.S. FDA issued its conclusive guidance on cybersecurity in medical devices, titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” which was released on September 27, 2023. This guidance document introduces critical changes for manufacturers, stressing the importance of a comprehensive cybersecurity approach.
The FDA guidance applies to devices with cybersecurity considerations, extending to those not requiring premarket submission. It covers various submission types and emphasizes cybersecurity as a shared responsibility. Section 524B of the FD&C Act, enacted in 2022, mandates cybersecurity information submission for devices defined as “cyber devices.” Manufacturers must address these obligations for FD&C Act compliance.
What are the key points and updates in the new guidance document?
Secure Product Development Framework (SPDF): The “Secure Product Development Framework” was introduced which focussed on comprehensive risk management, security architecture, and cybersecurity-specific testing. Recommendations are also made for implementing transparency in cybersecurity which includes a vulnerability management plan and modified labelling.
Incorporating AI/ML and Cloud-Based Devices: The guidance document also communicates updates from the FDA on its current thinking regarding cybersecurity requirements for AI/ML-enabled devices and cloud-based services. There is an emphasis on addressing challenges in managing cybersecurity risks associated with public cloud services.
Cybersecurity Risk Management: Distinction between safety risk management and cybersecurity risk management have been made and there are recommendations for expanded content elements and a risk management plan for a cybersecurity risk management report. There is also an emphasis on non-probabilistic assessment of cybersecurity risk, focusing on exploitability as the measure.
Software Bill of Materials (SBOM): Introduction of SBOM as a required component for marketing applications of cyber devices, with recommendations for all other devices. SBOM provisions extended to both device manufacturer-developed components and third-party components. There are also recommendations for identifying vulnerabilities associated with device and software components.
Post-market Monitoring: Renaming of Vulnerability Management Plans to Cybersecurity Management Plans. Inclusion of the vulnerability database in the Cybersecurity Management Plan for more extensive ongoing vulnerability monitoring.
Security Control Categories: Identification of recommended security control categories, including authentication, authorization, cryptography, and others. Emphasis on not implementing deprecated cryptographic algorithms and the deployment of hardware-based security solutions.
General Premarket Submission Documentation Elements: In the appendix, you will find a compilation of suggested documents for Investigational Device Exemption (IDE) and premarket submissions. The importance of aligning documentation with the cybersecurity risk level, utilizing the threat model and architecture as a reference, has also been highlighted.
Conclusion
The US FDA’s Cybersecurity in Medical Devices guidance document addresses key concerns related to cybersecurity in medical devices. With a focus on SPDF, AI/ML, cloud-based devices, SBOM, and post-market monitoring, the FDA aims to enhance the security and transparency of medical devices throughout their lifecycle. Medical device manufacturers are urged to align with these guidelines, considering the evolving landscape of cybersecurity threats and the legal implications. The guidance provides a framework for manufacturers to ensure the safety and effectiveness of their devices, emphasizing the need for ongoing literature monitoring, risk management, and documentation throughout the product lifecycle.
DDReg as leading regulatory consulting organization has supported its customers for successful and compliant product submissions across the globe. With a knowledge base of over 120 regulatory agencies, deep subject matter expertise, industry knowledge, and access to in-house RegTech softwares, DDReg holds a 100% success rate with competent authorities. Read more from DDReg’s experts: Quality Assurance & Compliance