FDA 2016 Guidance on Cybersecurity within Medical Devices
On October 18th, 2018, the FDA released a draft guidance named “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”. This guidance recommends cybersecurity design, labeling, and documentation for all premarket submissions of devices that contain any cybersecurity risk. I teamed up with Velentium’s Principal System Security Architect, Christopher Gates, to summarize the impact of these new guidelines and offer insight on how to successfully comply with them.
In October of 2014, the FDA released the first version of its Premarket Cybersecurity Guidance. This early version conveyed the FDA’s heightened interest in ensuring secure medical devices do no patient harm, but was unclear about exactly what steps needed to be taken in order to meet the their expectations.
Following that release, Velentium has reviewed dozens of clients’ pre-submission meeting minutes, which included 483s, warning letters, and pre-market rejections that detailed the FDA’s evolving expectations for security in new medical devices and their supporting systems. This cumulative insight allows us to tailor our client’s development activities and generated artifacts to meet the FDA’s threshold.
Most of the activities and deliverables in the new 2018 guidance have been the FDA’s expectations for the past 12 to 18 months, but were not publicly documented and available to the industry.
Make no mistake, the content and approach described in this guidance is required. A recent Office of the Inspector General’s report made three distinct recommendations to the FDA regarding medical device cybersecurity:
· Promote the use of pre-submission meetings to address cybersecurity and related questions
· Include cybersecurity documentation as a criterion in the FDA’s “Refuse to Accept” checklist
· Include cybersecurity as an element in the smart template
In response, the FDA stated (Appendix B – Page 19) that “it welcomes the OIG report as a means for strengthening the agency’s already robust premarket review of networked medical devices. The FDA has already taken steps to implement these recommendations, and plans to update OIG as these items are completed.”
In the past, some manufacturers believed they would be able to justify not following the proper procedures needed to create a secure device by performing risk-benefit analysis on which they could base their case to the FDA reviewer in a premarket submission.
However, with the changes brought about by the report from the OIG and the FDA issuing its new guidance in response, any submission that fails to include all mandated security artifacts stipulated in the “Refuse to Accept” checklist will be rejected by a clerk. The manufacturer’s justifications for ignoring security will never be seen by a reviewer.
Although this seems strict, the OIG and FDA now encourage manufacturers to utilize pre-market submission meetings to address cybersecurity questions. This practice can significantly reduce delay caused by manufacturer’s misunderstandings and subsequent rejection of a pre-market approval request.
Although these guidelines were released as a “draft”, the FDA is abiding by them for all new submissions, superseding the October 2nd, 2014 guidance. The FDA has adopted a prescriptive approach to clarify their expectations while raising the expected cybersecurity level of all new devices.
Cybersecurity expectations extend throughout the entire life-cycle of a product, including the complete development cycle (not just a post-design afterthought), as well as post-market. Even after a product is discontinued, manufacturers are now required to keep track of devices for up to a 5-year period.
In addition, proprietary protocols are no longer deemed secure. Security researchers and hackers reverse-engineer and exploit these measures every day. No matter the level of expertise used, if you are not using strong and proven cryptographic primitives, then a proprietary protocol does not stand a chance of being secure. While utilizing cryptographic primitives does not ensure you have a secure device, it is a fundamental first step in the overall protection of a device.
In summary, the new expectations include:
· 14 new areas of coverage for security topics in labeling/Instructions for Use (Section 6)
· Handling description of field software updates and patches
· 38 new design-based mitigations (Section 5)
· Assignment and justification for a security tier designation
· 20 new detailed security artifacts generated during the development lifecycle included in the submission package (Section 7)
· Software & Hardware Bill of Materials utilized in the product – cross-referenced against known vulnerabilities
· Requirement stating protection mechanisms should prevent all unauthorized use through all interfaces
· Traceability matrix linking all security artifacts into requirements and hazard analysis
This new guidance is a welcome step forward, as it accurately communicates to designers and manufacturers the FDA’s expectations for securing medical devices.
Over the course of the next few weeks, we will be releasing several informative pieces regarding each of these topics and more. If you'd rather not wait, you can download the entire white paper here.
If you would like to be notified of when these posts go live, please sign up for up-to-date email alerts at the right of this page.
To learn more about Christopher Gates and his background in medical devices and cybersecurity, click here.