Saturday, April 9, 2022

Review - FDA Publishes Draft Medical Device Cybersecurity Guidance

Yesterday, the FDA published a notice of availability in the Federal Register (87 FR 20878-20875) for a Draft Guidance Document on “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions”. The draft guidance can be downloaded from the Federal eRulemaking Portal.

According to the Summary in the Notice:

“This draft guidance is intended to further emphasize the importance of ensuring that devices are designed securely, are designed to be capable of mitigating emerging cybersecurity risks throughout the Total Product Life Cycle, and to clearly outline FDA's recommendations for premarket submission content to address cybersecurity concerns.”

The summary goes on to remind folks that: “This draft guidance is not final nor is it for implementation at this time.”

Comment Solicitation

The FDA is soliciting comments on this draft guidance. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket FDA-2021-D-1158). Comments should be submitted by July 7th, 2022.

Commentary

First off, I am not a doctor, not even a medical device engineer, nor have I played one on TV. Having said that, it seems to me that there may be a little too much focus on cybersecurity in this guidance document. I know, that is what the document is about, but it seems to miss the fact that it is not really cybersecurity that we are concerned about when we talk about medical devices, it should primarily be protecting patient safety, secondarily about protecting patient information and confidentiality, and only then protecting the device and medical network.

While a Secure Product Development Framework is certainly important in any software development cycle, it is not sufficient, since we know that what people design is going to be imperfect. This means that there will be vulnerabilities in even well-designed systems. Whenever safety is an issue, and it certainly is in medical devices, we need to go beyond SPDF and look at Consequence-driven Cyber-informed Engineering (CCE). This methodology developed at the Idaho National Laboratory (INL) concentrates on identifying the safety consequences of system errors and vulnerabilities and working to mitigate those consequences. This methodology should be included in any discussion about cybersecurity for medical devices.

For more details about the draft guidance document, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/fda-publishes-draft-medical-device - subscription required.

No comments:

 
/* Use this with templates/template-twocol.html */