On October 18, 2018, the Food and Drug Administration (“FDA”) released a draft update to its guidance on the “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” In providing updated guidance, the FDA continues its extensive efforts1 to refine its approach to ensuring that marketed medical devices are protected against cybersecurity threats by identifying devices with cybersecurity risk and defining the issues manufacturers should address in the device design, labeling and other documentation that the FDA recommends for pre-market submissions.
Specifically, the FDA’s update expands the draft guidance by recommending the following:
- Tiered Classifciation of Cybersecurity Risk: A tiered approach to classifying medical devices by potential cybersecurity risk, which requires that all cybersecurity controls be implemented for connected devices capable of causing harm to multiple patients, but permits risk-based control exceptions for lower risk devices;
- Trustworthiness: A framework for designing “trustworthy” devices that incorporates specific design features and cybersecurity controls;
- Cybersecurity Bill of Materials: An expanded “cybersecurity bill of materials” that goes with a device listing device hardware or software components to assist users in the identification of potential future vulnerabilities; and
- Device Cybersecurity Labeling: Device labeling recommendations to assist end-users in maintaining the device’s safety and effectiveness with regards to cybersecurity.
Given the above recommendations, manufacturers of Internet-connected devices or other devices that present a cybersecurity risk (such as those that contain software, including firmware, or other programmable logic) should expect additional and more thorough FDA scrutiny regarding their device’s cybersecurity protections. Manufacturers should be aware that it is often burdensome and costly to incorporate cybersecurity into device design retroactively. Accordingly, manufacturers that are concerned their device may present a cybersecurity risk should consider conducting device risk assessments early and adopting cybersecurity risks throughout the product design lifecycle in order to meet the FDA’s recommendations for premarket submissions as discussed in the draft guidance.
Two Tiered Approach to Device Cybersecurity Risk Classification
The draft guidance adopts a risk-based approach to device cybersecurity that is in line with other widely-accepted industry standards for cybersecurity, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Specifically, the draft guidance introduces a framework for categorizing medical devices into two tiers for cybersecurity purposes each with different regulatory requirements.2
Tier 1 applies to “Higher Cybersecurity Risk” and is reserved for critically connected devices which, if tampered with, could directly result in harm to multiple patients. Examples of Tier 1 devices include, but are not limited to, implantable cardioverter defibrillators (ICDs), pacemakers, left ventricular assist devices (LVADs), brain stimulators and neurostimulators, dialysis devices, infusion and insulin pumps, and the supporting connected systems that interact with these devices such as home monitors and those with command and control functionality such as programmers.
The FDA defines Tier 2 “Standard Cybersecurity Risk” broadly to encompass medical devices that do not meet Tier 1 criteria.
Breach of PHI by itself is not considered patient harm under draft guidance. One interesting carve-out from the FDA’s consideration of patient harm is that, according to the guidance, the loss of confidential protected health information (PHI) is not considered “patient harm.” However, protecting such information may be required by federal and state law, such as the Health Information Portability and Accountability Act (HIPAA).
Categorizing devices into tiers may be difficult. While the examples provided by the FDA are illustrative in the sense of establishing what clearly qualifies as a Tier 1 device, a number of devices will be difficult to categorize. Without further clarification, medical device manufacturers may find the standard: “could directly result in patient harm to multiple patients” difficult to apply to their devices. This is important as different tiers will have different regulatory requirements.
Impact of two tiers. Under the draft guidance, the two tiers would have different design and documentation requirements. According to the draft guidance, certain security controls are recommended for Tier 1 devices and premarket submissions should include documentation on how the device design and risk assessment incorporate those controls. In contrast, Tier 2 devices do not necessarily need the security controls, but the FDA recommends that submissions should provide an explanation of a risk-based assessment of the potential vulnerabilities and their exploitability to justify why unimplemented controls are not appropriate for the device.