FDA Has Something to Say about Medtech Cybersecurity

Six weeks ago, we wrote about an FBI warning concerning the risk of hacking to medical devices. Now the FDA has weighed in with a Draft Guidance intended to help manufacturers consider all the angles as they ready their devices for submission for approval.

"Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" is a draft guidance, open for comment for 90 days. FDA says that this guidance is intended to supplement its "Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices" and "Guidance to Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software."

The draft guidance begins, "This guidance has been developed by the FDA to assist industry by identifying issues related to cybersecurity that manufacturers should consider in preparing premarket submissions for medical devices.  The need for effective cybersecurity to assure medical device functionality has become more important with the increasing use of wireless, Internet- and network-connected devices, and the frequent electronic exchange of medical device-related health information."

The FDA defines cybersecurity as "the process of preventing unauthorized modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient."

The new guidance will apply to premarket submissions for devices that contain software (including firmware) or programmable logic, including Premarket Notifications (510(k)), including Traditional, Special, and Abbreviated 510(k) submissions; de novo petitions; Premarket Approval Applications (PMA); Product Development Protocols (PDP); and Humanitarian Device Exemption (HDE) submissions.

The FDA acknowledges that not all medical devices are created equal: "The extent to which security controls are needed will depend on the medical device, its environment of use, the type and probability of the risks to which it is exposed, and the probable risks to patients from a security breach.  Medical devices capable of connecting to another medical device, to the Internet or other network, or to portable media (e.g. USB or CD) are more vulnerable to cybersecurity threats than devices that are not connected."

The FDA advises manufacturers to "develop a set of security controls to assure medical device cybersecurity to maintain information confidentiality, integrity, and availability" and to "consider cybersecurity during the design phase of the medical device, as this can result in more robust and efficient mitigation of cybersecurity risks."

As might be expected, the bulk of the not-terribly-long document is devoted to describing what the FDA considers appropriate security control methods, such as the avoidance of hard-coded passwords and the use of multilayered authorizations.

The FDA "recommends that medical device manufacturers provide justification in the premarket submission for the security features chosen and consider appropriate security control methods for their medical devices."

Stephen Levy  is a contributor to Qmed and MPMN