What Quality System Requirements are Needed for Medical Device Cybersecurity? New FDA Draft Guidance

04/19/2022

The US Food and Drug Administration (FDA) released a draft guidance “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” for comment in April 2022. The draft guidance, when finalized, will modernize premarket expectations for medical devices with advanced connection technologies that may pose a cybersecurity risk. The draft guidance also describes cybersecurity medical design, labeling, and recommended documentation to be included in premarket submissions for devices with a cybersecurity risk.

 

Background

Medical devices have become increasingly complex since previous guidance was released, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” in 2014 and “Postmarket Management of Cybersecurity in Medical Devices” in 2016. Many rely on internet, Bluetooth connection, cell phone service, internet, or other modern technology which increases vulnerability in the security of the medical device. Cyberattacks, otherwise known as hacks, can disrupt medical device capabilities in hospitals, in homes, or other locations as applicable. For certain medical devices, such as ones that are implantable, disruption can be life altering or life threatening. Cybersecurity is an integral part of medical device safety and following the quality system regulations found in 21 CFR Part 820. Security objectives should be implemented and integrated in the medical device design and system architecture.

The FDA clarifies that the security of medical devices does not solely lie on the device manufacturer and that other stakeholders (e.g., patients, medical facilities, etc.) need to ensure the environment the medical device is used in is secure as well (e.g., antimalware, passwords, etc.). The draft guidance is applicable to medical devices that contain software, firmware, programmable logic, or are software as medical device (SaMD).

Summary of Guidance

The following are considerations for medical device quality systems from the draft guidance:

  • Using a Secure Product Development Framework (SPDF) to manage cybersecurity risks is one way to satisfy quality system regulations requirements

  • Implementing security risk management includes:

    • Threat modeling

    • Third party software components

    • Security assessment of unresolved anomalies

    • Security risk management documentation

    • Total product life cycle security risk management

  • Implementing a security architecture includes:

    • Identifying risks in the medical device and the system where it will function

    • Implementing appropriate security controls to mitigate identified risks

    • Demonstrating that the identified risks are adequately controlled

    • Maintaining documentation of security architecture views

  • Testing to ensure cybersecurity design controls are effective, including security requirements, threat mitigation, vulnerability testing, and penetration testing.

Transparency for medical device cybersecurity controls includes:

  • Labeling recommendations for medical devices that have cybersecurity risks

  • Establishing a management plan to identify and communicate vulnerabilities after the medical device is in use

The draft guidance includes the following supporting appendices:

  • Security control categories and associated recommendations

  • Submission documentation for security architecture flows

  • Submission documentation for investigational device exemptions

  • Terminology

How the medical device cybersecurity design is scalable based on risk should be included in the submission documentation. Effective cybersecurity and transparency should be built into the medical device design. When the draft guidance is finalized, it will modernize how medical devices with software are designed to incorporate security measures and are capable of mitigating cybersecurity risks, and it more clearly outlines how this information is included in premarket submissions.

Comment on the draft guidance now through July 7, 2022 HERE.

 

You may also enjoy our blogs on these related topics:

 

-The Clinical Pathways Team 

Enjoy this blog? Please like, comment, and share with your contacts.