FDA Overhauls Premarket Cybersecurity Guidance for Device Makers

6 November 2018 Reed Smith Client Alerts

主页观点 FDA Overhauls Premarket Cybersecurity Guidance for Device Makers

On October 18, 2018, the Food and Drug Administration (“FDA”) released a draft update to its guidance on the “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” In providing updated guidance, the FDA continues its extensive efforts¹ to refine its approach to ensuring that marketed medical devices are protected against cybersecurity threats by identifying devices with cybersecurity risk and defining the issues manufacturers should address in the device design, labeling and other documentation that the FDA recommends for pre-market submissions.

Specifically, the FDA’s update expands the draft guidance by recommending the following:

Tiered Classification of Cybersecurity Risk: A tiered approach to classifying medical devices by potential cybersecurity risk, which requires that all cybersecurity controls be implemented for connected devices capable of causing harm to multiple patients, but permits risk-based control exceptions for lower risk devices;
Trustworthiness: A framework for designing “trustworthy” devices that incorporates specific design features and cybersecurity controls;
Cybersecurity Bill of Materials: An expanded “cybersecurity bill of materials” that goes with a device listing device hardware or software components to assist users in the identification of potential future vulnerabilities; and
Device Cybersecurity Labeling: Device labeling recommendations to assist end-users in maintaining the device’s safety and effectiveness with regards to cybersecurity.

Given the above recommendations, manufacturers of Internet-connected devices or other devices that present a cybersecurity risk (such as those that contain software, including firmware, or other programmable logic) should expect additional and more thorough FDA scrutiny regarding their device’s cybersecurity protections. Manufacturers should be aware that it is often burdensome and costly to incorporate cybersecurity into device design retroactively. Accordingly, manufacturers that are concerned their device may present a cybersecurity risk should consider conducting device risk assessments early and adopting cybersecurity risks throughout the product design lifecycle in order to meet the FDA’s recommendations for premarket submissions as discussed in the draft guidance.

作者: Kevin M. Madagan Mildred Segura Gerard M. Stegmaier Wendell J. Bartnick

Two Tiered Approach to Device Cybersecurity Risk Classification

The draft guidance adopts a risk-based approach to device cybersecurity that is in line with other widely-accepted industry standards for cybersecurity, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Specifically, the draft guidance introduces a framework for categorizing medical devices into two tiers for cybersecurity purposes each with different regulatory requirements.²

Tier 1 applies to “Higher Cybersecurity Risk” and is reserved for critically connected devices which, if tampered with, could directly result in harm to multiple patients. Examples of Tier 1 devices include, but are not limited to, implantable cardioverter defibrillators (ICDs), pacemakers, left ventricular assist devices (LVADs), brain stimulators and neurostimulators, dialysis devices, infusion and insulin pumps, and the supporting connected systems that interact with these devices such as home monitors and those with command and control functionality such as programmers.

The FDA defines Tier 2 “Standard Cybersecurity Risk” broadly to encompass medical devices that do not meet Tier 1 criteria.

Breach of PHI by itself is not considered patient harm under draft guidance. One interesting carve-out from the FDA’s consideration of patient harm is that, according to the guidance, the loss of confidential protected health information (PHI) is not considered “patient harm.” However, protecting such information may be required by federal and state law, such as the Health Information Portability and Accountability Act (HIPAA).

Categorizing devices into tiers may be difficult. While the examples provided by the FDA are illustrative in the sense of establishing what clearly qualifies as a Tier 1 device, a number of devices will be difficult to categorize. Without further clarification, medical device manufacturers may find the standard: “could directly result in patient harm to multiple patients” difficult to apply to their devices. This is important as different tiers will have different regulatory requirements.

Impact of two tiers. Under the draft guidance, the two tiers would have different design and documentation requirements. According to the draft guidance, certain security controls are recommended for Tier 1 devices and premarket submissions should include documentation on how the device design and risk assessment incorporate those controls. In contrast, Tier 2 devices do not necessarily need the security controls, but the FDA recommends that submissions should provide an explanation of a risk-based assessment of the potential vulnerabilities and their exploitability to justify why unimplemented controls are not appropriate for the device.

Trustworthy Devices

The draft guidance also adopts the concept of "trustworthy" devices.³ A trustworthy device is defined as a device that (1) is reasonably secure from cybersecurity intrusion and misuse; (2) provides a reasonable level of availability, reliability, and correct operation; (3) is reasonably suited to performing its intended functions; and (4) adheres to generally accepted security procedures.

Updated guidance consistent with NIST Cybersecurity Framework. Much of the guidance is devoted to how manufactures should seek to construct a trustworthy device. Manufacturers are well-advised to incorporate cybersecurity into product design early in the device lifecycle, at the presubmission phase, to avoid costly re-work to add such security controls later. The guidance appears to be consistent with the NIST Cybersecurity Framework standards: (1) Identify; (2) Protect; (3) Detect; (4) Respond; and (5) Recover.

Updated guidance tries to balance flexibility and specificity. The draft guidance remains ambiguous at times, even with the additional detail given by the FDA. For instance, the draft guidance instructs device manufacturers to “Maintain Confidentiality of Data” without explaining how this should be done. The guidance, like many cyber security frameworks, best practices, and legal requirements, is principles-based, because security controls frequently change and must permit organizations flexibility to implement various measures to mitigate the risk. Principles do not provide organizations with the comfort of knowing they are complying with such guidance (or legal requirements) with certainty.

Cybersecurity Bill of Materials

Under the draft guidance, manufacturers are expected to draft a cybersecurity bill of materials (CBOM) to be shared with customers to help them identify potential threats. The CBOM consists of a list of commercial and/or off-the-shelf software and hardware components incorporated into a device, so that if it turns out that such software or hardware is vulnerable, the device user can take self-help steps. In practice, however, commentators have predicted that this measure may take time to implement before it can meaningfully help customers.

Expanded Cybersecurity Labeling Recommendations

The draft guidance provides new recommendations for complying with the FDA's labeling regulations. It emphasizes communicating relevant security information to end users to help ensure a device remains safe and effective and that devices’ cyber security protections are maintained throughout the devices’ life cycle.

The FDA uses a legal foundation to support this aspect of the guidance, which suggests that the guidance may not be entirely optional. For example, 21 CFR 801.5 requires that device labeling include adequate directions for use, including statements of all conditions, purposes, or uses for which the device is intended (e.g., hazards, warnings, precautions, contraindications).⁴The FDA states that “informing end-users of relevant security information may be an effective way to comply with labeling requirements.” The FDA recommends 14 specific recommendations of cyber security topics that should be included in labeling. Examples include a description of the device features that protect critical functionality even when the device’s cybersecurity “has been compromised,” backup and restore features, and the CBOM described earlier.

Expanded Cybersecurity Documentation

The draft guidance recommends that manufacturers include, as part of their premarket submission, documentation of the design features and risk management efforts and labeling to demonstrate a risk-based approach appropriate for the device. The draft guidance states that design documentation should track the requirements applicable to the tier of the device as wells as systems diagrams (detailing network architecture, communication pathways, authentication mechanisms etc.) to explain how the device interacts with other systems. Risk management documentation should contain an evaluation of risks and mitigation strategies that can help assure a secure device, according to the draft guidance.

Conclusion

The FDA’s 2018 pre-market guidance offers additional clarity given recent industry advancements and practices. The FDA “recognizes that medical device security is a shared responsibility among stakeholders, including health care facilities, patients, health care providers, and manufacturers of medical devices.” The draft guidance tries to balance the recurring challenge of drafting cyber security recommendations that are specific enough to be helpful, but yet flexible enough to apply to an industry filled with rapidly evolving devices and greater and more complicated cybersecurity risks.

The FDA will hold a meeting on January 29–30, 2019 to discuss the draft guidance. Comments on the guidance are due by March 18, 2019.

The FDA’s updated draft guidance comes on the heels of the release of the FDA-supported "Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook" for health delivery organizations (HDOs), the announcement of two new Information Sharing Analysis Organizations (ISAOs), and FDA's recent news release discussing the agency's enhanced cybersecurity partnership with the U.S. Department of Homeland Security (DHS). These activities also follow the U.S. Department of Health and Human Services - Office of Inspector General’s September 2018 report "FDA Should Further Integrate Its Review of Cybersecurity Into the Premarket Review Process for Medical Devices," which we recently reported on. See our previous client alert.
FDA clarifies that the proposed tiers will not necessarily track existing statutory device classifications (Classes I, II, and III) set forth in/by 21 CFR 860.
This definition is adapted from the definition of a “Trustworthy System” in NIST SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure. See pg. 52, available at nist.gov.
Additionally, section 502(f) of the Federal Food, 562 Drug, and Cosmetic Act (FD&C Act) requires that labeling include adequate directions for use. Under section 502(a)(1) of the FD&C Act, a medical device is deemed misbranded if its labeling is false or misleading. Under section 201(n), labeling may be misleading if it fails to reveal facts material with respect to consequences which may result from use of the article under the conditions of use prescribed in the labeling or under such conditions of use as are customary or usual. See also 21 CFR 1.21. FDA device regulations contain further requirements related to labeling

Client Alert 2018-221

Cheng, Cue named among top lawyers for DeSPAC transactions

行业领域

服务领域

业务团队

PitchBook: Reed Smith leads on PE transactions in healthcare

您可能感兴趣的

Cheng, Cue named among top lawyers for DeSPAC transactions

PitchBook: Reed Smith leads on PE transactions in healthcare

共享工具