The Food and Drug Administration on Thursday released draft guidance on cybersecurity considerations for medical devicemakers submitting materials for premarket review, a step toward updating guidance released seven years ago.
The proposal, which replaces an earlier draft the FDA released in 2018, would add expectations related to software development and transparency for medical devices that incorporate software. The FDA is seeking feedback from the public on the proposal.
Once finalized, the new guidance would replace premarket guidance for medical device cybersecurity last updated in 2014.
“Given the rapidly evolving device cybersecurity landscape, FDA is issuing this draft guidance … to further emphasize the importance of ensuring that devices are designed securely, are designed to be capable of mitigating emerging cybersecurity risks throughout the total product life cycle, and to clearly outline FDA’s recommendations for premarket submission content to address cybersecurity concerns, including device labeling,” the FDA said in its notice in the Federal Register.
The FDA’s premarket guidances set expectations for how device manufacturers should design and label products—as well as what documentation they should provide on their design and development work—when submitting information to the agency for premarket review to ensure they meet the agency’s standards.
The FDA last released postmarket guidance for managing medical device cybersecurity in 2016.
The latest draft guidance recommends devicemakers adopt a “secure product framework”—a set of software development practices that prioritize security—to identify and reduce vulnerabilities throughout the product development lifecycle. That includes assessing risks as new cybersecurity threats are discovered after a product’s been released.
The guidance also would set recommendations on what cybersecurity documentation devicemakers should submit with applications for investigational device exemptions in clinical trials.
It also recommends creating a “software bill of materials” for each medical device, building on its 2018 predecessor’s recommendation for a “cybersecurity bill of materials.” A software bill of materials would document all software components in a device, including proprietary software developed by the manufacturer and third-party commercial and open-source software.
The federal government has published 110 advisories on medical device vulnerabilities disclosed by medical device manufacturers since the FDA released its 2016 post-market guidance, according to data compiled by cybersecurity company MedCrypt and released last month.
Such vulnerabilities can be dangerous for hospitals and patients, since medical devices connected to the internet or internal hospital networks can be hacked, be disrupted during the course of a ransomware attack or provide a window for cybercriminals to enter a hospital’s broader network and steal data, according to cybersecurity experts. Cyberattacks can disrupt medical care by delaying procedures or forcing patient diversions.
The FDA’s new proposal on premarket submissions highlighted the 2017 WannaCry ransomware attack that infected computers and devices worldwide—including some radiology equipment—as an example of a cyberattack that affected hospitals and medical devices.
“Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the U.S. and globally,” the draft guidance stated. “Such cyber attacks and exploits may lead to patient harm as a result of clinical hazards, such as delay in diagnoses and/or treatment.”
The FDA is accepting feedback on the draft guidance through July 7, after which the agency said it will begin work on a final version.