THOMSON REUTERS
Westlaw Today
Enter to open, tab to navigate, enter to select
Medical device cybersecurity developments
2022 PRINDBRF 0334
• Practitioner Insights Commentaries
• July 25, 2022
(July 25, 2022) - Vlad Teplitskiy, Damien Howard and Luke Holbrook of Knobbe Martens provide guidance on what the U.S. government is doing to protect electronic medical instruments and the data within those devices from digital attacks.
1. Introduction
Cybersecurity plays an important role in our connected world. Ignoring or incorrectly implementing cybersecurity protections can be very costly. For example, the 2017 Equifax data breach resulted in private records of over 163 million people being compromised and led to a settlement costing Equifax $575 million.1
Medical devices are becoming increasingly connected to other remote devices, which can leave such medical devices vulnerable to cybersecurity risks. To protect the public from the risks, the U.S. Food and Drug Administration (FDA) and Congress have been actively developing draft guidelines and various draft legislation.
Medical device manufacturers may want to consider aligning device cybersecurity practices with proposed FDA guidelines and pending legislation to achieve and maintain legal compliance. The FDA guidelines provide a pre-market submissions framework for medical device manufacturers to mitigate cybersecurity risks. If passed, the pending legislation may require manufacturers to comply with certain cybersecurity standards throughout the lifecycle of the medical devices, i.e. pre-market and post-market.
The following provides an overview of the proposed FDA guidelines, and legislation and analysis of requirements for pre-market and post-market compliance. Because the proposed legislation is in the early stages of rulemaking, the below focuses on the FDA guidance.
2. Overview of FDA guidelines and proposed legislation
The FDA previously released cybersecurity guidance in 2014.2 However, due to "the rapidly evolving landscape" and "an increased understanding of emerging threats," the FDA has recently released a draft of an updated cybersecurity guidance document (FDA draft guidance) for comment.3
In addition to the FDA draft guidance, several bills are pending review in Congress, including S. 4336, H.R. 7667, H.R. 7084, and S. 3983. The FDA draft guidance and each of the pending bills are discussed briefly below.
A. FDA draft guidance
While non-binding, the FDA draft guidance provides recommendations and attempted clarifications regarding requirements under the law. The FDA recommends submitting risk management plans and reports as part of pre-market device submissions.
Further, the "guidance applies to all types of devices within the meaning of Section 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C Act) whether or not they require a pre-market submission."4 When finalized, the FDA draft guidance will supersede the 2014 guidance.
To ensure a medical device manufacturer meets the Quality System Regulation (QSR) requirements5 during the pre-market stage, the FDA suggests using a Secure Product Development Framework (SPDF).
An SPDF "is a set of processes that help reduce the number and severity of vulnerabilities in products" throughout the device lifecycle. "An SPDF encompasses all aspects of a product's lifecycle, including development, release, support, and decommission.
Additionally, using SPDF processes during device design may prevent the need to re-engineer the device when connectivity-based features are added after marketing and distribution, or when vulnerabilities resulting in uncontrolled risks are discovered.
An SPDF can be integrated with existing processes for product and software development, risk management, and the quality system at large."6
B. S. 4336 — Strengthening Cybersecurity for Medical Devices Act
The bill known as "Strengthening Cybersecurity for Medical Devices Act" S. 4336 is currently pending review in the Senate.7 The bill directs the Secretary of the United States Department of Health and Human Services (HHS) to review and update guidelines on medical device cybersecurity every two years.
The intent of the Secretary's review is to ensure devices are protected from potential exploitations of vulnerabilities. The bill would essentially require the FDA to update cybersecurity guidance every two years.
C. H.R. 7667 — Food and Drug Amendments of 2022
As of the time of writing, the "Food and Drug Amendments of 2022" recently passed in the House and is now pending in the Senate. The bill includes minimum cybersecurity requirements for manufacturers of medical devices.
In the bill's current state, the minimum requirements include directing manufacturers to design, develop and maintain processes to ensure the cybersecurity of devices, and to have a plan for monitoring, identifying and addressing post-market cybersecurity vulnerabilities.
The bill further includes adding a software bill of materials to cyber device labelling requirements and a catch-all provision relating to other conditions the Secretary of HHS may require "to demonstrate reasonable assurance of the safety and effectiveness of the device."8
Non-compliance with the software bill of materials labelling requirements can amount to misbranding under the FD&C Act.9
D. Other pending legislation
Two additional bills are currently pending review in Congress. The additional bills list the same requirements as H.R. 7667 with minor differences. The two pending bills are siblings for the "Protecting and Transforming Cyber Health Care Act of 2022" (the PATCH Act) and are pending in Congress as H.R. 7084 and S. 3983.10
3. Pre-market and post-market compliance
The FDA draft guidance and pending legislation stress the importance of cybersecurity to patient safety. Noncompliance may result in failure to obtain FDA approval and exposure to potential liability after a medical device has been introduced to the market.
Manufacturers may want to consider following the most restrictive framework to ensure compliance with the FDA draft guidance and the pending legislation. For pre-market submissions, manufacturers may consider supplementing existing processes with the recommendations found in the FDA draft guidance. For post-market actions, manufacturers may consider satisfying the legislative requirements.
The FDA draft guidance suggests using an SPDF to ensure meeting the QSR requirements. SPDF is a set of processes that, if followed, can reduce the number and severity of vulnerabilities in products throughout the device lifecycle. As part of the SPDF, the FDA draft guidance recommends including the following for pre-market submissions.
A. Security risk management
The FDA draft guidance recommends that "manufacturers establish a security risk management process that encompasses design controls ..., validation of production processes ..., and corrective and preventive actions ... to ensure both safety and security risks are adequately addressed."
A software bill of materials (or equivalent document) identifying manufacturer-developed and third-part components is recommended to be maintained and regularly updated. The bill of materials can facilitate the risk management process by providing "a mechanism to identify devices that might be affected by vulnerabilities in the software components, both during development (when software is being chosen as a component) and after it has been placed into the market throughout all other phases of a product's life."11
To ensure that both safety and security risks are adequately addressed, the FDA draft guidance also calls for provision of a security risk management plan and a security risk management report. The preparation and format of these documents is described in the pertinent Association for the Advancement of Medical Instrumentation technical information report, AAMI TIR57.
The security risk management report is expected to "summarize the risk evaluation methods and processes, detail the security risk assessment, and detail the risk mitigation activities undertaken as part of a manufacturer's risk management processes" as well as "provide traceability between the security risks, controls, and the testing reports that ensure the device is reasonably secure."
Manufacturers are expected to update the security risk management report as new information becomes available throughout the product life cycle, for example, "when new threats, vulnerabilities, assets, or adverse impacts are discovered during development and after the device is released."12
B. Security architecture
The FDA draft guidance recognizes that there may be different approaches for identifying cybersecurity risks and their mitigation. A particular approach (or security architecture) would need to be documented by the manufacturer. The security architecture is expected to define the system and all connections in and out of the system. The FDA draft guidance recommends documenting resultant security architectures in submissions taking the form of security views.13
The following views would likely need to present in the documents submitted to the FDA14:
• Global system view that describes the overall system, including all internal and external connections.
• Multi-patient harm view that describes how the device defends or responds to attacks with the potential to harm multiple patients.
• Updatability and patchability view that describes how the device's software can be updated, including any additional cybersecurity risks stemming from performing updates over a network.
• Security use case view that describes various operational states of the system and their clinical functionality.
C. Cybersecurity testing
Testing is used to demonstrate the effectiveness of the device design, including the device's cybersecurity controls.15
The FDA draft guidance recommends documenting the following types of tests16:
• Security requirements: 1) evidence that each design input requirement was implemented successfully and 2) evidence and rationale for boundary analysis.
• Threat mitigation: details and evidence of testing that demonstrate effective risk control measures.
• Vulnerability testing: evidence of the following testing with respect to known vulnerabilities. The testing includes:
•abuse case, malformed, and unexpected inputs (i.e., robustness and fuzz testing),
•attack surface analysis,
•vulnerability chaining,
•closed box testing of known vulnerability scanning,
•software composition analysis of binary executable files, and
•static and dynamic code analysis, including testing for access credentials that are "hardcoded," default, easily guessed, and easily compromised.
• Penetration testing: identify and characterize security-related issues via tests that focus on discovering and exploiting security vulnerabilities in the product.
D. Cybersecurity transparency
The FDA draft guidance states that cybersecurity risk "transparency is critical to ensure safe and effective use and integration of devices and systems."
Informing users of relevant cybersecurity risks can be accomplished via labeling. The FDA draft guidance recommends including numerous items of information in the labeling, including user instructions for cybersecurity controls (such as password requirements, firewalls, or anti-malware software), instructions for downloading software updates and patches, description of backup and restore features, instructions for secure network deployment and servicing, and instructions for how to respond upon detection of a cybersecurity vulnerability or risk.17
E. Post-market compliance
In 2016, the FDA issued guidelines for post-market cybersecurity medical device compliance.18 Briefly, this thirty-page document provides guidance for monitoring, identifying, and addressing cybersecurity vulnerabilities following introduction of medical devices on the market.
Manufacturers are expected to continuously monitor and assess the risk of patient harm as well as remediate (for example, by installing updates or patches) and report cybersecurity vulnerabilities.19
In addition, H.R. 7667 calls on manufacturers to "have a plan to appropriately monitor, identify, and address in a reasonable time post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and procedures" and "make available updates and patches to the cyber device and related systems throughout the lifecycle of the cyber device."20
4. Conclusion
As of the writing of this article, the FDA has issued updated cybersecurity guidance for pre-market medical device submissions, and several bills for pre-market and post-market cybersecurity controls for medical devices are pending in Congress. Manufacturers may want to consider the potential impact of the FDA guidance on their design, regulatory approval, and post-market compliance processes.
While the various pending Congressional bills are in the early stages of the legislative process, manufactures may want to monitor developments related to these bills in the event any of them pass both chambers of Congress and are signed into law.
Notes
1 See https://bit.ly/3oq3fTc.
2 See "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices," U.S. Food & Drug Administration, Oct. 2, 2014. (https://bit.ly/3OrTVbU) (2014 FDA Guidance).
3 See "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff," U.S. Food & Drug Administration, April 8, 2022 at 3 (https://bit.ly/39rq5pg) (2022 FDA Guidance).
4 2022 FDA Guidance at 2, 14.
5 See 21 CFR 820 for QSR requirements.
6 Id.
7 See S. 4336 "Strengthening Cybersecurity for Medical Devices Act" — 117th Congress. (https://bit.ly/3cz47SO).
8 See H.R. 7667 "The Food and Drug Amendments of 2022" – 117th Congress. (https://bit.ly/3Pv36cL).
9 Id. at § 808(d).
10 See H.R. 7084 "PATCH Act of 2022" — 117th Congress (https://bit.ly/3RTvya1); S. 3983 "PATCH Act" — 117th Congress (https://bit.ly/3Bb2ODD).
11 2022 FDA Guidance at 10-13.
12 Id. at 14-15.
13 Id. at 16-17.
14 Id. at 20-21.
15 Id. at 22.
16 Id. at 22-23.
17 Id. at 24-26.
18 "Postmarket Management of Cybersecurity in Medical Devices," U.S. Food & Drug Administration, Dec. 28, 2016. (Accessed at: https://bit.ly/3onuRbn).
19 Id. at 15-26.
20 H.R. 7667 "The Food and Drug Amendments of 2022" — 117th Congress. (https://bit.ly/3Pv36cL).
Vlad Teplitskiy is a partner in the Orange County, California, office of Knobbe Martens. He helps individuals and companies with protecting innovations, particularly in the electrical and computer fields. He can be reached at [email protected]. Damien Howard is also a partner in the Orange County office. His practice focuses on protecting medical device, telecommunications, software and electronics-based inventions for both established companies and startups. He can be reached at [email protected]. Luke Holbrook is a summer associate at the firm. He graduated from the University of Texas at San Antonio in 2019 with a master's degree in electrical engineering and has published several technical articles regarding the cybersecurity of Internet of Things devices. Currently, he attends the University of Houston Law Center.
)
Vlad Teplitskiy)
Damien Howard)
Luke Holbrook| End of Document | © 2024 Thomson Reuters. No claim to original U.S. Government Works. |