According to the FDA’s draft guidance issued today, “Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the US and globally. Such cyberattacks and exploits can delay diagnoses and/or treatment and may lead to patient harm.”
Under the proposed draft guidance manufacturers will be required to better protect their devices in a more uniform manner as prescribed by the FDA. The new pre-market submission proposals are designed to help guide the industry in designing these digital safety mechanisms from the beginning of product design and development.
The New Guidance covers Premarket Notification (510(k)) submissions (including Traditional, Special, and Abbreviated); De Novo requests; Premarket Approval Applications (PMAs); Product Development Protocols (PDPs) that contain software (including firmware) or programmable logic; as well as software that is a medical device.
While manufacturers are required under Quality System Regulations to establish and maintain procedures for validating the devices design including software validation and risk analysis, FDA is recommending validation include design controls to ensure medical device cybersecurity and maintain medical device safety and effectiveness. Including these design controls may make it easier for FDA to “find your device meets its applicable statutory standard for premarket review.”
The recommendations in the newly released Draft Guidance describe using a more risk-based approach to the design and development of appropriate cybersecurity protections. The FDA wants manufacturers to design programs to follow their devices throughout the device lifecycle, monitor new and potential threats, and issue cybersecurity updates to thwart new attempts at unauthorized digital access of the devices.
Because devices that connect to the internet or wirelessly to other devices pose a new and larger threat to cybersecurity, the FDA is requiring a Cybersecurity Bill of Materials be included in the manufacturers filing to identify key components and accessories that could render the device vulnerable to “hacking”. The FDA is creating a new Tier 1 level of standards for these devices to ensure greater security than Tier 2 devices (those that are not wirelessly or internet connected).
Design controls should include appropriate authorization such as ID’s, passwords, time limited sessions with auto logout, layered authorization (i.e. patient, healthcare professional, technician) should now be used in the design of these devices. Authentication and authorization of critical safety commands will be considered in new submissions. In addition, proper labeling to warn patients and providers of the cyber security risks involved in these devices is essential.
For an updated list of FDA recognized consensus standards the Agency recommends that you refer to the FDA Recognized Consensus Standards Database.