FDA official: Draft cybersecurity guidance has ‘teeth’
If followed by medical device manufacturers, experts said that the Food and Drug Administration's long-awaited draft cybersecurity guidance released on Thursday will go a long way towards improving device security and patient safety.
The FDA draft guidance, which replaces a 2018 document, lays out a total product lifecycle approach to cybersecurity with recommendations for how medical device manufacturers should address security in premarket submissions and in order to maintain their software-based products postmarket.
"This is the finished product from the 2018 outline. They really polished it and have done a much better job on this document. That's not to say it's without its faults. It has them but it's a much better document," said Chris Gates, director of product security at medical device engineering firm Velentium.
While the FDA issued final cybersecurity guidance addressing premarket expectations in 2014 and complementary postmarket guidance in 2016, the agency makes the case in its latest draft guidance that rapidly evolving cybersecurity threats and hacker attacks on the healthcare sector warranted an "updated, iterative approach" to device security.
The agency's 2022 draft guidance warns that growing and sophisticated "cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the U.S. and globally."
Suzanne Schwartz, director of the Centers for Devices and Radiological Health's Office of Strategic Partnerships and Technology Innovation at the FDA, told MedTech Dive the agency's latest draft guidance underscores the "total product lifecycle nature of cybersecurity considerations with respect to medical device," including premarket device submissions and deployment mitigations for older legacy devices that were not built with security in mind.
The FDA emphasizes that the contents of its 2022 draft guidance, which apply to devices that contain software including firmware or programmable logic, "do not have the force of law" and "should be viewed only as recommendations, unless specific regulatory or statutory requirements are cited."
While the FDA's recommendations for premarket submissions are not requirements, those device manufacturers who choose an alternate approach "would have to really provide pretty solid, ample justification" as to why it satisfies the statutory requirements for meeting safety and effectiveness in quality system regulations, according to Schwartz.
"Where we have teeth here actually is manufacturers recognize that [following this guidance] is likely to be their best way to get a product on to the market," Schwarts said. "Not following the guidance is going to create greater, probably, complexities or potential hardships as far as addressing questions that will come up. That means potentially delays."
Velentium's Gates contends that the FDA's guidance represents "de facto requirements" and that if medical device manufacturers want to get through premarket approval they need to meet the agency's cybersecurity expectations.
An AdvaMed spokesperson said the medtech lobby "is still reading through and evaluating" the FDA's draft guidance and that "there is a process we take with our members before we reach the point of a public statement."
The agency is accepting public comments on the guidance until July 7.
Mike Rushanan, director of medical security at consultancy Harbor Labs, contends that manufacturers currently in the pre-submission phase "will be scrambling" in light of the new document.
"The substance of the guidance will cause them to scrutinize their approach more, and they'll need to perform a gap assessment to see where they have shortcomings," Rushanan said.
In its draft guidance, the FDA encourages device makers to implement and adopt a Secure Product Development Framework, a "set of processes that reduce the number and severity of vulnerabilities in products" with certain factors that should be addressed in the design of a device.
"You start, obviously, during the cradle stage during design and development. But, what's done there will have broad and continuous implications throughout the lifecycle of that device," Schwartz said. "What gets built in and baked in from a security perspective is going to affect the maintenance of that device by stakeholders, manufacturers and others."
The guidance also recommends threat modeling be performed in the design process. This lays out what hackers might be able to do to target a medical device and what manufacturers intend to protect with the assumption that the network is insecure.
While the agency encourages adoption of threat modeling throughout the device lifecycle, the models are essential to a successful premarket review to ensure adequate security, said Kevin Fu, CDRH's acting director of medical device cybersecurity.
Fu has called on the medtech industry to improve its threat modeling. In May, Fu told the Food & Drug Law Institute conference that companies must do a better job and that the FDA has denied premarket clearance based solely on cybersecurity concerns for medical devices.
"Threat modeling is basically the cybersecurity equivalent to hazard analysis," Fu told MedTech Dive. "It would be difficult to design the security of a device until you first have a threat model."
To help companies, an FDA-funded playbook developed by MITRE was released last year with the aim of improving device makers' approaches to these critical models.
Harbor Labs' Rushanan says the agency's draft cybersecurity guidance "has come a long way" by providing "interspersed examples that provide context on what the FDA means when it says security risk assessment, threat model, and use environment, to name a few."
Software Bill of Materials
In FDA's 2018 draft guidance, the agency discussed the need for a Cybersecurity Bill of Materials, a document providing a list of software and hardware included in a medical device, as a way to address the problem of widespread cyber vulnerabilities.
At the time, a Cybersecurity Bill of Materials was seen as an "aspirational" and "comprehensive view of what is in a medical device from a security perspective," according to CDRH's Schwartz. However, the FDA decided to focus on a Software Bill of Materials (SBOM), an electronically readable inventory of third-party components in devices meant to improve transparency.
"Most vulnerabilities that are going to be of concern are those of a software nature, as opposed to a hardware nature," Schwartz said. "We did not want perfect to be the enemy of good here. We wanted to get to a place that was certainly going to be impactful in making a difference with respect to devices being more secure and providing that information to the necessary stakeholders so that they can best protect their assets."
The SBOM concept got a major boost in May with President Joe Biden's executive order aimed at bolstering the nation's cybersecurity posture by, among other actions, enhancing software supply chain security.
FDA has supported a multi-stakeholder SBOM initiative headed by the Department of Commerce's National Telecommunications and Information Administration (NTIA), designed to improve software component transparency across several industries, including medtech.
NTIA's SBOM effort has developed the schemas, formats and other outputs from the multi-stakeholder initiative that the National Institute of Standards and Technology could ultimately leverage in its software integrity guidelines in fulfillment of Biden's executive order.
However, Velentium's Gates contends that the FDA draft cybersecurity guidance essentially ignores the important work NTIA has done on SBOM.
"NTIA created the minimum set of elements inside the Software Bill of Materials. Why they didn't just refer to that and why they created their own list of elements is beyond me," Gates said, though the FDA's guidance does include a footnote referencing NTIA's work. "We don't need them adulterating this format with their own take on it, what they think is important, without due consideration and more importantly just messing up the support across the industries that we are currently enjoying."
The draft guidance recommends using industry standards for SBOM in a machine-readable format in premarket submissions, Fu said.
While work is underway to "deal with the challenges around implementation" of SBOM using multiple formats, Schwartz said the FDA is "very careful" at this point not to prescribe one vendor or tool for standardization.
"The verdict is out on that as yet," Schwartz said. "We recognize that there's an entire market out there of vendors and tooling that's happening on this front right now."
Legislative authority
The FDA's cybersecurity guidance was released for public comment just as a bipartisan bill, sponsored by Sens. Tammy Baldwin, D-Wisc., and Bill Cassidy, R-La., was recently introduced in the Senate. The bill would establish cybersecurity requirements for device manufacturers, including the development of SBOMs, as well as requirements for them to monitor and address postmarket cybersecurity vulnerabilities.
The Protecting and Transforming Cyber Health Care (PATCH) Act, which has a companion bill in the House of Representatives, is an attempt to address the fact that currently there is no premarket or postmarket statutory requirement that expressly compels medical device manufacturers to address cybersecurity.
Schwartz said that the FDA is "encouraged" by the introduction of the PATCH Act which "tracks very closely to our vision" for stronger cybersecurity protections.
The FDA is seeking additional legislative authorities from Congress. The agency recently submitted a legislative proposal, in accordance with OMB Circular A-19 proposing new requirements for medical device manufacturers to address the safety and effectiveness of devices through cybersecurity measures that span the total product lifecycle.
"This proposal would advance medical device safety by explicitly requiring that medical device manufacturers design cybersecurity into their devices and by ensuring that FDA and the public have certain information about device cybersecurity," states the document.
The legislative proposal is an effort to give the agency express authority to require that premarket submissions "include evidence demonstrating reasonable assurance of the device's safety and effectiveness for purposes of cybersecurity" and that devices have the capability to be updated and patched in a timely manner.
The agency's guidance issued on Thursday states that premarket submissions should include information that describes how security objectives are addressed by, and integrated into, the device design to provide for secure and timely updatability and patchability.
In addition, the FDA document recommends that manufacturers establish a plan for how they will identify and communicate vulnerabilities after releasing a device to users, including tracking the following measures and metrics: percentage of identified vulnerabilities that are updated or patched; time from vulnerability identification to when it is updated or patched; and time from when an update or patch is available to complete implementation in devices deployed in the field.
"This effort at quantification has not been seen before in FDA guidance requirements, but will absolutely bring transparency to what is currently idiosyncratically tracked, and certainly not transparently shared, across our industry," Axel Wirth, chief security strategist of medical device cyber firm MedCrypt, wrote in an assessment of last week's guidance.
The FDA's 2016 postmarket guidance states that no later than 30 days after learning about a cybersecurity vulnerability a manufacturer should notify its customers, and no later than 60 days the device maker "fixes the vulnerability, validates the change, and distributes the deployable fix to its customers and user community such that the residual risk is brought down to an acceptable level."
However, Velentium's Gates contends that he knows of only one medical device manufacturer "in the history" who actually met the agency's 60-day expectation for fixing a vulnerability and getting the patch out to customers.
"Thirty days to notify customers about the vulnerability? Darn straight," Gates said. "Sixty days [to fix it], however, that's a bear. The great preponderance of times there's no way that's even possible."
Gloss