FDA’s New Draft Guidance on Cybersecurity

August 16, 2022

The FDA has been continuing to work on protecting medical devices from the threats of cybersecurity. In April of this year, the Agency released the latest draft guidance addressing cybersecurity in the medical device lifecycle. There are several major changes in the 2022 version, which replaces the 2018 draft guidance.

Gardner Law recently presented a CLE presentation (click here to view) on the topic of cybersecurity that outlines:

Background on the cybersecurity and the FDA's approach
Major changes from the 2018 draft guidance
Highlights of the 2022 release

No time to watch the video? What follows is a brief summary of the video presentation.

Background on cybersecurity and the FDA's approach

The FDA has been continuing to strengthen and evolve its approach to addressing cybersecurity in medical devices. As noted in the April 8^th Federal Register Notice, "[t]he need for effective cybersecurity to reasonably ensure medical device safety and effectiveness has become more important with the increasing use of wireless, internet- and network- connected devices, portable media (e.g., USB or CD), and the frequent electronic exchange of medical device-related health information. In addition, cybersecurity threats to the healthcare sector have become more frequent, more severe, and carry increased potential for clinical impact."

The 2022 draft guidance emphasizes the importance of ensuring that devices are designed securely and are capable of mitigating emerging cybersecurity risks throughout the Total Product Life Cycle ("TPLC"). This change to a TPLC approach will impact manufacturers as they begin to incorporate these concepts into not only their premarket submissions, as was the focus of the 2018 draft guidance, but also into their Design Controls processes. In fact, effects of the TPLC approach will be felt throughout a manufacturer's Quality Management System ("QMS"). This is likely to have a big impact on manufacturers, especially for those with legacy products or for companies playing "catch-up" to the 2018 draft guidance.

What has changed since 2018?

As was mentioned above, the biggest and most impactful change to manufacturers is the TPLC approach to cybersecurity, but there were several other changes implemented:

Risk Tiers have been removed. The concept of risk has been preserved, however.
Cybersecurity Bill of Materials ("CBOM") has been replaced with Software Bill of Materials ("SBOM"). This was done to reduce some of the burden on manufacturers when the vast majority of cybersecurity concerns are within the software, itself, and not the hardware. The SBOM concept also aligns the draft guidance more closely with the May 2021 Executive Order on Improving the Nation's Cybersecurity.
Additional clarification regarding premarket submission document requirements has been added throughout the draft guidance.
Investigational Device Exemptions ("IDEs") have been added to the scope.
A change in title was made to better capture the scope of the current draft guidance: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff.
A document structure change was made to align with use of a Secure Product Development Framework (discussed further below).

What is included in the 2022 draft guidance?

Secure Product Development Framework

A Secure Product Development Framework ("SPDF") is a set of processes implemented by the device maker designed to mitigate the number and severity of vulnerabilities in products throughout the device lifecycle.

The FDA proposes using a SPDF as a means of satisfying a manufacturer's Quality System Regulation ("QSR") obligations and including it as part of the product development process. A SPDF should be deployed throughout the TPLC.

Risk Management

For the 2022 draft guidance, the FDA has greatly expanded their expectations around risk management. While manufacturers have been incorporating aspects of risk management within their QMS and product development processes for some time now, those processes may not be robust or sophisticated enough to fully assess the risks for cybersecurity under the latest draft guidance.

The 2022 draft guidance focuses heavily on the use of "Threat Modeling" as part of risk management for cybersecurity. Threat Modeling identifies security objectives, risk, and vulnerabilities; defines risk controls or countermeasures to mitigate risks; and supports risk analysis activities. Manufacturers will need to reassess and likely change their approach to risk management to ensure compliance. More information on Threat Modeling can be found in the Playbook for Threat Modeling Medical Devices, which was commissioned by the FDA and released in November of 2021.

Cybersecurity and Premarket Submissions

The FDA assesses the adequacy of device security based on the ability of a device to provide and implement the security objectives of authenticity, which includes: integrity, authorization, availability, confidentiality, and secure and timely updatability and patchability.

Premarket submissions should address how the above security objectives are met. Another thing manufacturers need to consider in their premarket submissions is substantial equivalence, as the FDA is now planning on taking cybersecurity controls into consideration in making a substantial equivalence determination. Again, moving forward, manufacturers will want to look at their current systems, to make sure cybersecurity is considered early and often to avoid delays once they reach the point of submission.

To be effective, cybersecurity needs to be "baked in" and not "bolted on". Manufacturers will need to make changes to their approach. Regardless, we recommend manufacturers start planning and implementing the concepts found in the draft guidance now, in both their products and within their QMS, in order to ensure they maintain compliance.

Click here to watch Brynn Stanley, Associate Attorney, Gardner Law, a biomedical and quality engineer, share more about the latest FDA cybersecurity guidance.