The U.S. Food and Drug Administration (FDA) has released a new guidance draft for medical device manufacturers with digital components. The guidance, issued on April 8, is intended to serve as an updated version of a previously published notice in order to keep medical devices safe from cybercriminals.

The draft guidance, titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” is intended to address the “need for effective cybersecurity to reasonably ensure medical device safety and effectiveness,” which the FDA argues has become more vital with “the increasing use of wireless, internet- and network-connected devices, portable media,” as well as the increased “electronic exchange of medical device-related health information.” 

With the increased presence of electronic and digital medical information exchange, medical devices will need to be more secure from cyberattacks than ever before.

In their entry in the Federal Register, the FDA describes how attacks on healthcare centers from bad actors “have become more frequent, more severe, and carry increased potential for clinical impact.” 

These attacks from cybercriminals have rendered entire hospital networks powerless and have led to delays in diagnosis, delays in treatment, and increases in patient harm.

The first FDA guidance on enhanced cybersecurity was released in 2014. Four years later, the FDA updated the 2014 guidance after “the rapidly evolving landscape, and the increased understanding of the threats and their potential mitigations, necessitate an updated approach.” 

This latest guidance update combines information gathered from consumer feedback, expert testimony, and a summit held in January 2019. The primary focus of the draft guidance is to demonstrate how manufacturers can create a “Secure Product Development Framework (SPDF).” This SPDF features 5 key security objectives to increase medical device readiness against cyberattacks:

  1. Ensuring the authenticity and integrity of the device
  2. Authorization of the device
  3. Securing availability of cybersecurity information
  4. Confidentiality of cybersecurity measures
  5. Secure and timely updatability and patchability of the medical device

The draft guidance detailed that “submissions should include information that describes how the above security objectives are addressed by and integrated into the device design.” How vigorous or granular the approach would need to be would depend on several factors described further in the guidance.

Broadly, the scale of cybersecurity defense needed would depend on the intended use for the device, the number of the electronic data interfaces in the device, the inherent cybersecurity vulnerabilities present in the device, the risk of exploitation of those vulnerabilities, and the damage that could be caused to patients if the vulnerabilities were to be exploited. By utilizing the SPDF process, the FDA argues that the number and severity of vulnerabilities in a medical device can be reduced.

“Because exploitation of known vulnerabilities or weak cybersecurity controls should be considered reasonably foreseeable failure modes for systems, these factors should be addressed in the device design” states the FDA. 

This means that if a device has a known weakness that is exploited, the FDA is placing responsibility for any harm on the manufacturer for failing to correct this defect in the design.

The FDA also argues that the benefits of using the SPDF process include manufacturing medical devices that are “more likely” to be secure by design “such that the device is designed from the outset to be secure within its system and/or network of use.” This not only benefits the manufacturer but also helps the healthcare centers where the device is implemented. 

Devices following SPDF process guidelines would be designed to be managed and their labeling would inform healthcare facilities how to accomplish a number of vital cybersecurity tasks including:

  • Installing new firmware
  • Configuring the device
  • Updating the software
  • Reviewing device logs

This functionality in the designs would allow hospitals and other healthcare facilities to integrate these new medical devices into their cybersecurity frameworks. SPDF would bring manufactured devices into line with risk management frameworks such as the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity.