Raising the Bar on Premarket Medical Device Cybersecurity
The Food and Drug Administration’s decision to incorporate “quality systems regulations” into its latest draft guidance for the cybersecurity of premarket medical devices is an important development in the scope of the agency’s security expectations for manufacturers, says Dr. Suzanne Schwartz of the FDA.
“We have stated over many years the importance of thinking about cybersecurity from beginning to end, all the way through a product’s use life,” she says in an interview with Information Security Media Group.
“And therefore that has to be considered under the umbrella of the quality systems considerations,” she says. “While we mentioned the quality systems regulations in our original [premarket medical device cybersecurity] guidance in 2014, it became clear to us as we further evolved … and the ecosystem matured more – that it becomes much more necessary to call out the QSR as something manufacturers need to be thinking about early, early on as they design their devices,” she says.
“This guidance does a kind of crosswalk for medical device manufacturers through the QSR as it relates to their premarket submission and what the [cybersecurity] expectations are of manufacturers.”
Revamped Draft Guidance
The FDA’s draft guidance issued on April 6, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” covers a wide range of cybersecurity device design, labeling and documentation issues that the FDA expects be addressed by manufacturers in their premarket submissions to the agency.
The new draft guidance, for which the FDA is accepting public comment until July 7, replaces earlier draft guidance that the FDA released in 2018. That 2018 draft guidance proposed updates to a final guidance that the FDA issued in 2014, which addressed premarket cybersecurity expectations at the time, the FDA says.
Once the new 2022 draft guidance is finalized, however, it will replace the FDA’s 2014 cybersecurity guidance for premarket medical devices, Schwartz says.
Road Map for Meeting Expectations
While FDA guidance materials are considered nonbinding, the latest draft document – once finalized – is meant to provide a road map for how medical device makers can accomplish requirements under the FDA’s QSR and patient safety regulations, and address cybersecurity considerations in their premarket submissions to the agency, according to Schwartz.
“The guidance provides what we believe is the road map for greatest efficiency for meeting FDA’s premarket medical cybersecurity expectations,” she says.
“Not adhering to the guidance on the premarket side will possibly raise additional questions that the [FDA] review teams [might] come back to [manufacturers] with that take a fair amount of back-and-forth, in terms of getting those questions answered.”
In the interview (see audio link below photo), Schwartz also discusses:
- Bipartisan legislation – the Protecting and Transforming Cyber Health Care, or PATCH Act – recently introduced into Congress – that if signed into law could empower the FDA to require device manufacturers to implement certain cybersecurity requirements;
- The FDA’s decision to drop a previous proposal for manufacturers to include a “cybersecurity bill of materials” for their premarket devices in favor of instead calling for makers to provide a “software bill of materials” to the FDA and to customers;
- How the draft guidance addresses threat modeling and varying levels of cybersecurity risk and related patient safety concerns for different types of medical devices, such as implantable cardiac devices, infusion pumps and other products;
- A proposal for manufacturers to provide cybersecurity documentation for “investigational device exemption” products that are used in clinical studies prior to FDA submission for premarket authorization;
- Other important changes in the FDA’s latest draft guidance compared to the FDA’s earlier cybersecurity guidance for the premarket of medical devices issued in 2018;
- The FDA’s final postmarket guidance released in 2016 for how medical device manufacturers should help maintain the cybersecurity of network-connected devices once they are in use;
- The surge in ransomware attacks and other evolving cyberthreats facing the healthcare and public health sector.
Schwartz is the director of the Office of Strategic Partnerships and Technology Innovation at the FDA’s Center for Devices and Radiological Health, or CDRH. Her work in medical device cybersecurity includes raising awareness, educating, outreach, partnering and coalition-building within the healthcare and public health sector, as well as fostering collaborations across other government agencies and the private sector. She also chairs CDRH’s cybersecurity working group, tasked with formulating the FDA’s medical device cybersecurity policy, and has served as co-chair of the Government Coordinating Council for the healthcare and public health critical infrastructure sector.