The U.S. Food & Drug Administration issued select updates to premarket cybersecurity guidance on March 13, including who is required to comply, the types of devices that fall under certain agency requirements and recommendations on how to document related compliance in premarket submissions.
WHY IT MATTERS
FDA wrote in the Federal Register on Wednesday that the proposed update to its guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, considers the “ability to connect to the Internet’ to include devices that can connect whether intentionally or unintentionally, through any means – including at any point identified in the evaluation of the threat surface of the device and the environment of use.”
Specifically, the agency said in the new draft that it considers devices that are WiFi or cellular; network, server or cloud service provider connections; Bluetooth or Bluetooth Low Energy; radiofrequency communications; inductive communications; and ethernet and similar hardware connections as having the ability to connect to the Internet.
The required coordinated vulnerability disclosure could include:
Coordinated disclosure of vulnerabilities and exploits identified by external entities, including third-party software suppliers and researchers.
Disclosure of vulnerabilities and exploits identified by the manufacturer of cyber devices.
Manufacturer procedures to carry out disclosures of such vulnerabilities and exploits.
The agency suggested that the plans required under section 524B of the FD&C Act describe the timeline with associated justifications to develop and release required updates and patches.
That would include known unacceptable vulnerabilities “on a reasonably justified regular cycle,” as well as available patches for critical vulnerabilities that trigger “uncontrolled risks to the device and related systems” as soon as possible out of the regular cycle.
The agency is also recommending that covered device manufacturers “anticipate and make appropriate updates to these plans, as well as to the processes and procedures” as new information becomes available, such as when “new risks, threats, vulnerabilities, assets or adverse impacts are discovered throughout the total product lifecycle,” the agency suggested.
Further, manufacturers should create or update appropriate threat modeling documentation to maintain it throughout the device life cycle, the agency noted.
“Doing so will allow manufacturers to quickly identify vulnerability impacts once a device is released and could also help satisfy the patching requirements of section 524B,” FDA said.
The deadline for public comments is May 13. The draft can be downloaded from FDA’s Digital Health Center of Excellence cybersecurity page.
THE LARGER TREND
In the most recent final medical device premarket submission guidelines released in September, FDA recommended further documentation on constituent parts in cyber devices, as defined in section 524B that cybersecurity considerations “including but not limited to devices that have a device software function or that contain software – including firmware – or programmable logic” in medical device premarket submissions.
While the guidelines are voluntary and have thus sparked some debate in the healthcare IT sector – as they did this week at a panel session on IT strategies for securing medical devices from cyberattacks held at the HIMSS24 Conference and Exhibition in Orlando – FDA has also been scrutinized by the Government Accountability Office to strengthen cybersecurity oversight since it released the final guidelines.
After GAO reviewed the cybersecurity in medical devices under the Consolidated Appropriations Act of 2023, it recommended the FDA and the Cybersecurity and Infrastructure Security Agency update their agencies’ medical device cybersecurity coordination agreement.
GAO noted in its report, released in December, that while FDA is implementing new cybersecurity authorities, it had not yet identified the need for any additional authority.
“They can take measures to help ensure device cybersecurity under existing authorities such as monitoring health sector and CISA alerts, as well as directing manufacturers to communicate vulnerabilities to user communities and to remediate the vulnerabilities,” the GAO said.
This week’s draft update aims to direct software and device manufacturers further on how to structure cybersecurity maintenance of medical and biologic devices and component devices that can be accessed online.
ON THE RECORD
“It is well-demonstrated that if a device has the ability to connect to the Internet, it is possible that it can be connected to the Internet, regardless of whether such connectivity was intended by the device sponsor,” said FDA in the draft update to section 524B of the FD&C Act.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
