By Cynthia Schnedar and Samantha Eakes, Greenleaf Health
In the age of connectivity, cybersecurity has become critical to all stakeholders in the medical device field. Different federal agencies in the United States (U.S.), as well as agencies across the globe, have begun to address this issue through regulatory guidance and enforcement action.
The U.S. has taken steps in recent years to detect cybersecurity vulnerabilities and to provide recommendations for stakeholders to address any potential patient harm. In particular, the U.S. Food and Drug Administration (FDA) has taken a significant role in working with the medical device industry, healthcare providers, and patients to proactively address cybersecurity concerns.
FDA Medtech Cybersecurity Efforts
In a Nov. 14, 2019 blog post, Balancing Patient Engagement and Awareness with Medical Device Cybersecurity, two FDA leaders laid out the vision FDA’s Center for Devices and Radiological Health (CDRH) is trying to achieve in cybersecurity. Amy Abernethy, M.D., Ph.D., Principal Deputy Commissioner and Acting Chief Information Officer, and Suzanne B. Schwartz, M.D., M.B.A., Deputy Director, Office of Strategic Partnerships and Technology Innovation, CDRH, write “[t]he CDRH cybersecurity vision is one where the medical device community takes bold action to transform medical devices from brittle to resilient. Every device would meet a security baseline; every device would be easily updatable; and patients would receive timely updates.”
FDA published guidance documents on cybersecurity as early as 2005 but, since 2014, the Agency has been more prolific in releasing new guidances. FDA issued a final guidance on premarket cybersecurity concerns in October 2014 and, in 2018, issued the draft guidance Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, intended to supersede the 2014 document. FDA notes in the 2018 draft guidance that “the rapidly evolving landscape, and the increased understanding of the threats and their potential mitigations, necessitates an updated approach.”
In December 2016, FDA published the final guidance Postmarket Management of Cybersecurity in Medical Devices, emphasizing “that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices.”
In addition to guidance documents, FDA has published several safety alerts and recalls notifying stakeholders when a specific medical device has been subject to a cybersecurity attack. These alerts also notified stakeholders what they should do to address the identified vulnerability. FDA also has sent out proactive notices to the medical device community regarding cybersecurity best practices and potential vulnerabilities.
While FDA has been active in addressing industry cybersecurity medtech concerns, until recently, the cybersecurity space lacked international guidance that aligned with FDA efforts on the topic. Now, though, the International Medical Device Regulators Forum (IMDRF) has taken a significant step towards starting that harmonization process.
On Oct. 1, 2019, the IMDRF published its first draft guidance document focused exclusively on medical device cybersecurity, Principles and Practices for Medical Device Cybersecurity. The document is intended to help facilitate international regulatory convergence on medical device cybersecurity by explaining fundamental concepts, best practices, and recommendations for all stakeholders. The guidance references both medical devices that contain software and devices that exist as software only. It focuses on the potential for patient harm due to impacts of medical device cybersecurity and does not discuss other types of harm, such as invasion of privacy.
While the U.S. FDA has been active in medical device cybersecurity leadership, Health Canada has been similarly forward-thinking. Thus, it was fitting the IMDRF draft guidance was developed by a working group led by Suzanne Schwartz from the U.S. FDA and Marc Lamoureux from Health Canada. Not surprisingly, the new IMDRF draft guidance closely aligns with both U.S. and Canadian regulations.
A main focus of the IMDRF draft guidance is to help define the role each stakeholder group can play in helping to support proactive cybersecurity. The guidance discusses not only the role of medical device manufacturers, but that of healthcare organizations, clinicians, patients, caregivers, consumers, regulators, and information-sharing entities. It recommends these stakeholders “employ a risk-based approach to the design and development of medical devices with appropriate cybersecurity protections; minimize risks that could arise from the use of the device for its intended purposes; and to ensure maintenance and continuity of critical device safety and effectiveness.”
The guidance addresses stakeholder roles and cybersecurity considerations in three main sections: General Principles; Pre-Market Considerations for Medical Device Manufacturers; and Post-Market Considerations for Medical Device Cybersecurity.
General Principles notes the importance of assessing risks associated with cybersecurity threats and vulnerabilities throughout a device’s total product life cycle (TPLC). The guidance states “risk management should be applied throughout the total product lifecycle (TPLC) where cybersecurity risk is evaluated and mitigated in the design, manufacturing, testing, and post-market monitoring activities.” It also outlines recommended actions that manufacturers should take as part of their risk management process, such as identifying vulnerabilities, evaluating the associated risks, controlling them to an acceptable level, and monitoring the effectiveness of controls.
Other general principles the guidance outlines include stakeholders’ shared responsibilities in device cybersecurity, the importance of information sharing among stakeholders, the ability to identify, protect, detect, respond, and recover, as well as global harmonization.
While the guidance stresses the importance of risk assessment throughout the TPLC, it adds that manufacturers must address critical Pre-Market Considerations during device development, as well. Incorporating specific design elements and controls that address cybersecurity during product development will help reduce potential threats and vulnerabilities after the product has gone to market. The guidance outlines several design principles for manufacturers to consider, including secure communications, data confidentiality, data integrity, user access, software maintenance, hardware or physical design, and reliability and availability.
Other topics outlined in the pre-market section include risk management, security testing, and developing a post-market management strategy. The guidance also provides recommendations to manufacturers on ways to address cybersecurity vulnerabilities through labeling, such as providing a Software Bill of Materials (SBOM) to end users.
Of note, the FDA 2018 draft guidance suggested that manufacturers provide a cyber bill of materials (CBOM) that includes both software and hardware. However, FDA received objections from industry that the focus should be on software, where the greatest vulnerabilities exist. The inclusion of SBOM only in the IMDRF guidance is being interpreted as a signal that FDA will change its own guidance to address only SBOM, rather than CBOM. Lastly, the section notes that manufacturers must address the regulatory submission requirements related to cybersecurity vulnerabilities and references additional international guidance documents on this topic.
Finally, the draft guidance outlines Post-Market Considerations for all stakeholder groups to help a product maintain an acceptable risk profile, identifying both maintenance steps and actions to take if a new threat is identified and a product is compromised. The document provides best practices for healthcare providers, patients, and manufacturers operating the device in its intended use environment, such as ensuring adequate user training.
The guidance also discusses information sharing methods to increase transparency among stakeholders, as well as coordinated vulnerability disclosure (CVD). Lastly, the section addresses steps that each stakeholder group should take when responding to a cybersecurity vulnerability, such as communication to stakeholders, remediation actions, and incident response.
Overall, the IMDRF draft guidance is a critical first step in creating global convergence on best practices and considerations for addressing cybersecurity risks that have the potential to cause patient harm. The document's public comment period closed Dec. 2, 2019.
What Does This Mean?
In general, the increasing number of guidance documents being published on this topic, as well as the actions of regulatory bodies, speak to the importance of medical device cybersecurity. As explained in the IMDRF guidance, all stakeholders play a critical role in identifying and addressing cybersecurity vulnerabilities to prevent patient harm.
Significantly, on the same day IMDRF published its draft guidance, FDA issued a Safety Communication that URGENT/11 Cybersecurity Vulnerabilities in a Widely-Used Third-Party Software Component May Introduce Risks During Use of Certain Medical Devices. The safety alert warns of 11 vulnerabilities — dubbed “URGENT/11” — that may introduce risks for certain medical devices and healthcare organizations, adding to an advisory released in July by the Cybersecurity and Infrastructure Security Agency within the U.S. Department of Homeland Security. Per FDA, the vulnerabilities exist in IPnet, a third-party software component that may affect several operating systems currently used in medical devices.
FDA noted that it is not presently aware of any confirmed adverse events related to these vulnerabilities. Still, the timing of FDA’s warning serves as an excellent example of the need for continued vigilance and guidance to stakeholders in this area. The URGENT/11 safety communication was one of nine safety communications concerning cybersecurity vulnerabilities that FDA has issued since 2013.
Increasing activity in this space likely means more guidance is forthcoming. It is anticipated that future FDA guidance will align with the IMDRF draft guidance, including a revision of the current premarket draft guidance on cybersecurity. The IMDRF draft guidance also will be updated based on stakeholder comments and the organization may create additional guidance on more specific cybersecurity topics. It is also likely that other international regulators will start to develop their own cybersecurity guidance documents, and stakeholders are hopeful that other regulators will choose to align with the IMDRF guidance.
Regulators across the globe recognize that they cannot address medical device cybersecurity alone, and that a collaborative effort with stakeholders across the healthcare ecosystem is necessary to build protections that will prevent and mitigate cybersecurity attacks. Achieving global alignment in cybersecurity requirements is an important step toward this end, making this new IMDRF guidance a vital tool toward ensuring patient safety.
About The Authors
Cynthia Schnedar is executive VP of regulatory compliance at Greenleaf Health. She was formerly director of the Office of Compliance for the FDA’s CDER. During her time at the FDA, she spearheaded efforts to protect the American public from unsafe and ineffective drug products by ensuring companies comply with federal standards for quality and safety. Among her many duties, Schnedar advised the FDA commissioner, the CDER director, and other senior FDA officials on significant enforcement issues. Schnedar spent more than two decades at the Department of Justice, where she specialized in compliance and enforcement issues and served as acting inspector general. She earned a B.A. from the University of New Mexico and a J.D. from the University of Texas School of Law. You can connect with her on LinkedIn.
Samantha Eakes is Senior Manager of Regulatory Affairs at Greenleaf Health. She specializes in developing communications and advocacy strategies, conducting research, and providing regulatory insight for clients. She recently received her Master’s in Public Health (MPH) from Boston University. Prior to completing her MPH, Samantha received her Bachelor of Arts in psychology from Boston University where she graduated summa cum laude. You can contact her at firstname.lastname@example.org or can connect with her on LinkedIn.