Today the Food and Drug Administration (FDA) published a notice in the Federal Register (79 FR 59493-59494) announcing that it had published a new guidance document about cybersecurity for medical devices; “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”. A draft version of this non-binding guidance document was released for public comment in June of 2013.
The document is designed to address cybersecurity issues to be addressed in premarket data submissions for “devices that contain software (including firmware) or programmable logic as well as software that is a medical device organized. It is divided into sections dealing with:
• General Principles;
• Cybersecurity Functions;
• Cybersecurity Documentation; and
• Established Standards
After stating the obvious that “medical device security is a shared responsibility between stakeholders, including health care facilities, patients, providers, and manufacturers of medical devices” (pg 3) the FDA goes on to explain that:
“Manufacturers should address cybersecurity during the design and development of the medical device, as this can result in more robust and efficient mitigation of patient risks. Manufacturers should establish design inputs for their device related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR 820.30(g).” [Link added] (pg 4)
In the only documented reference in this guidance to the recent NIST Cybersecurity Framework (CSF), the FDA identifies the five cybersecurity functions outlined in the CSF; Identify,
Protect, Detect, Respond, and Recover. Unfortunately, the FDA totally ignores the opportunity to reference the CSF as a way to identify cybersecurity activities, desired outcomes, and
applicable references that a medical device manufacturer could use to establish their cybersecurity management program.
Instead the Guidance document relies on two pages of bullet points of the ‘motherhood and apple pie’ variety. For example, under the ‘Limit Access’ category they include such earth shattering recommendations as:
• Limit access to devices through the authentication of users (e.g. user ID and password, smartcard, biometric); and
• Where appropriate, provide physical locks on devices and their communication ports to minimize tampering;
As you might expect for a guidance document that is focused on cybersecurity information that will be submitted to FDA as part of the device approval process, the most specific guidance is found under this heading. The FDA outlines five specific types of documentation that may be specifically required for the approval process. They are (pg 6):
• Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks;
• A traceability matrix that links your actual cybersecurity controls to the cybersecurity risks;
• A summary describing the plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device;
• A summary describing controls that are in place to assure that the medical device software will maintain its integrity (e.g. remain free of malware) from the point of origin to the point at which that device leaves the control of the manufacturer; and
• Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment.
Interestingly, in this section the FDA specifically abdicates responsibility for cybersecurity system updates, noting that: “The FDA typically will not need to review or approve medical device software changes made solely to strengthen cybersecurity.”
Even though this is the ‘final’ version of the Guidance document, the FDA is soliciting comments from the regulated and affected communities. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FDA-2013-D-0616).
You can find copies of public responses to the draft guidance document published last year in the same docket. Unfortunately, there is nothing in today’s notice or final guidance document that provides any insight into how the FDA addressed the concerns outlined in the 26 public and industry responses to that draft document.