By Sagar Patel, Battelle
The International Medical Device Regulators Forum (IMDRF) published on Oct. 1, 2019, new draft guidance outlining responsibilities and best practices for medical device manufacturers, regulators, and end users. The comment period for the non-binding draft guidance document, Principles and Practices for Medical Device Cybersecurity, closed Dec. 2, 2019.
Harmonizing Medical Device Cybersecurity Guidelines Across Borders and Agencies
Currently, cybersecurity guidelines for medical devices vary from country to country. In the United States, the U.S. Food and Drug Administration (FDA) has released two guidance documents aimed primarily at medical device manufacturers. Content for Premarket Submissions for Management of Cybersecurity in Medical Devices and Postmarket Management of Cybersecurity in Medical Devices — issued in 2014 (updated in 2018) and 2016, respectively — provide important information about what the FDA expects relevant to cybersecurity in premarket submissions and in postmarket management plans. These guidance documents have become the basis for regulatory guidance in several other countries. However, many countries have developed different guidelines or have not issued any guidance at all, creating significant confusion in the marketplace.
The IMDRF is a group of medical device regulators from around the world that have voluntarily come together to harmonize regulatory requirements for medical products that vary from country to country. IMDRF develops internationally agreed-upon documents related to a variety of topics affecting medical devices.
One of the new IMDRF guidance’s goals is to harmonize medtech cybersecurity guidelines between countries and regions so device manufacturers will have one clear set of rules to follow to achieve regulatory compliance in all the places they sell. The new guidance is not legally binding and does not replace or overturn relevant local regulatory requirements. However, it is expected that most countries will update their own regulatory guidance over time to harmonize with the IMDRF guidelines.
The cybersecurity guidance draft addresses premarket and postmarket cybersecurity considerations for manufacturers, regulators, healthcare providers and other stakeholders (e.g., security researchers). For premarket activities, the IMDRF recommendations address security requirements, risk management, security testing, and regulatory submission aspects. For postmarket activities, the IMDRF recommendations address information sharing, coordinated vulnerability disclosure, vulnerability remediation, and incident response.
FDA Guidance Documents vs. IMDRF: What’s New and What’s Changed
The new document overlaps extensively with the existing FDA guidance documents, so manufacturers already following FDA guidance will be well-positioned to meet the IMDRF guidelines. However, there are a few important differences:
- Total Lifecycle Approach — Unlike existing FDA guidance documents, the IMDRF guidance document combines premarket and postmarket recommendations in one document. This “total lifecycle” approach will help manufacturers develop a more cohesive and comprehensive cybersecurity plan for their products. For example, manufacturers should be thinking about a plan for secure postmarket patches and updates from the earliest stages of development, rather than waiting until after the product has been released.
- Elimination of Risk Tiers — The FDA currently separates medical devices into two risk categories: “low security risk” devices do not require as much documentation and testing as “high security risk” devices. However, the definitions of “high risk” vs. “low risk” are not well-described and may be considered somewhat subjective. This has created a degree of confusion for device manufacturers, who may not be sure which category their device falls under and, consequently, what is required in their premarket submission.
The IMDRF guidance document does not attempt to classify medical devices by risk profile; all medical devices are subject to the same requirements for cybersecurity risk assessment and mitigation. This does not necessarily mean that devices commonly understood to be “low risk” (e.g., not presenting a physical safety or data security risk if hacked or tampered with) will now be subject to additional testing or more stringent mitigation solutions; premarket submissions must address all possible risks and clearly demonstrate why some risks do not apply to the device in question.
- Shared Responsibility — The IMDRF guidance addresses multiple stakeholders, including medical device manufacturers, regulatory agencies, end users, and cybersecurity researchers. The document’s postmarket section addresses healthcare providers by assigning to them equal responsibility for medical device cybersecurity and recommending adoption of a risk-management process for devices connected to their IT infrastructure.
Expanded Focus on Cybersecurity Risks for Legacy Medical Devices
The guidance document’s postmarket section places a special emphasis on legacy devices, outlining more detailed and stringent recommendations for legacy devices than current FDA postmarket guidelines. IMDRF notes: “As vulnerabilities change over time, premarket controls designed and implemented may be inadequate to maintain an acceptable risk profile; therefore, a postmarket approach is necessary in which multiple stakeholders play a role…This challenge is further exacerbated by the fact that the clinical utility of a device often outlasts their security supportability.”
The guidance document lays out a multi-pronged approach to ensuring the continued safety and security of legacy devices, spreading responsibility across all stakeholders:
- Patches and Updates — Medical device manufacturers should implement a plan for patching bugs and newly identified security vulnerabilities, as well as updates with new functionality. The plan must address how the patch or update is rolled out (e.g., automatically distributed through the cloud, or applied by an on-site technician), as well as any safety or security vulnerabilities created by the update process itself.
- The Software Bill of Materials and Third-party Component Risk Assessment — Most medical devices contain third-party software or hardware components with their own security vulnerabilities. Manufacturers are responsible for awareness of vulnerabilities identified in the third-party chips, boards, operating systems, and code their devices utilize. Creating an accurate software bill of materials (BOM) that lists all third-party code used in the device enables both manufacturers and end users to check for reported vulnerabilities that may impact the device. The National Vulnerability Database managed by NIST (National Institute of Standards and Technology) is a reliable source for reported vulnerabilities.
- Communication with End Users / End User Responsibilities — Manufacturers must ensure that end users have timely and accurate information about newly identified security vulnerabilities and what they can do to mitigate them, including patch or update plans. The guidance document also requires manufacturers to clearly communicate when a legacy device will no longer be supported or updated. Conversely, end users have a responsibility to pay attention to information provided by manufacturers, ensure that necessary patches and updates for legacy devices are made in a timely manner, and remove non-supported devices from their networks.
- Coordinated Vulnerability Disclosure — The draft expands on current FDA guidelines addressing how security researchers should disclose identified vulnerabilities and how manufacturers should respond. The IMDRF clearly outlines responsibilities for all parties, including security researchers, manufacturers and regulators. Manufacturers should have publicly available information for security researchers and users instructing them how to communicate information about identified bugs or security vulnerabilities.
Manufacturers should also outline internal processes explaining how they will respond to submitted vulnerability reports. These should detail how potential vulnerabilities will be verified and related risks assessed; how to communicate verified vulnerabilities to regulators, end users, and information sharing organizations (e.g., H-ISAC, the Health Information Sharing and Analysis Center); how risk mitigation decisions will be made and communicated; and who is responsible for implementing each portion of the plan.
- Regulatory Disclosure and Resubmission Requirements — Manufacturers must communicate information about security vulnerabilities, patches, and updates for legacy devices to the appropriate regulatory agency (or agencies). It is the agency’s responsibility to review the information and determine whether the changes will require a new regulatory submission. The guidance document does not attempt to make a definitive statement about what types of changes would trigger a new regulatory submission requirement. However, it does provide regulatory agencies with a series of questions they can ask in making the determination.
For example, what is the nature of the risk associated with identified vulnerability? Does the recommended patch or update address the risk adequately? What is the probability that new risks have been introduced by the patch or update? Is the update strictly focused on addressing an identified vulnerability, or does it introduce new functionality that may be linked to new risks? Manufacturers should clearly address these questions when submitting documentation to help regulators make the correct determination.
What Medical Device Manufacturers Should Do Now
The IMDRF draft guidance document is available for review through Dec. 2, and manufacturers and other stakeholders are encouraged to provide feedback on its contents. Manufacturers may also want to note new guidelines that differ from their current cybersecurity risk management practices.
The draft’s release is particularly timely in light of a warning issued by the FDA — on same day that the IMDRF guidance was released — regarding the “URGENT/11” set of vulnerabilities impacting medical devices from a considerable number of manufacturers. The FDA advisory warns that the reported vulnerabilities can be exploited by remote attackers and may impact medical devices and hospitals. The advisory further notes that “URGENT/11” affects several operating systems — which may then impact certain medical devices connected to a communications network (such as Wi-Fi and public or home internet), as well as other connected equipment, including routers, connected phones, and other critical infrastructure equipment.
These cybersecurity vulnerabilities may allow a remote user to take control of a medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent a device from functioning properly or at all. The FDA is coordinating with affected medical device manufacturers and healthcare providers to mitigate issues stemming from the reported vulnerabilities.
The new IMDRF guidance document will go a long way towards clarifying expectations and best practices for medical device cybersecurity, especially for manufacturers selling to a global market. Of course, manufacturers will always have to defer to local regulatory requirements when submitting medical devices for approval in a new country, and minor differences may persist between countries and agencies.
However, this document is likely to serve as a blueprint for most regions, including the next round of FDA guidance documents. Manufacturers who put the IMDRF guidelines into practice will be well-positioned for approval throughout all their markets.
About the Author
Sagar Patel is CyberSecurity lead for Battelle’s DeviceSecure Services, which is aimed towards helping medical device manufacturers identify and resolve potential cyber security threats at various stages of product development. Apart from working with device manufacturers, Sagar is also responsible for development of new testing tool-sets, conducting research into novel penetration testing techniques, and collaborating with product development teams for security aspects of internal product development. Sagar is a voting member of the AAMI Device Security working group, contributing to security guidance and standards for medical devices.