September 25, 2023, marked the issuance of the US FDA’s guidance update for cybersecurity in medical devices. Referred to as “The 2023 Final Guidance,” this supplants the version issued by the FDA in 2014. This new document largely reflects the draft guidance prepared in the prior year, although there are a few differences mostly pertaining to client alerts.
The new FDA guidance features three main updates that address new concerns in light of the changing threat landscape, namely the introduction of a secure product development framework, cybersecurity transparency, and documentation requirements for investigational device exemption submissions. These changes emphasize the need to make cybersecurity a fundamental part of the manufacture, sale, and use of medical devices.
Secure Product Development Framework
One of the highlights of the 2023 FDA cybersecurity guidance for medical devices is the requirement for a Secure Product Development Framework (SPDF), which is a collection of processes aimed at lessening the amount and severity of security vulnerabilities in medical devices throughout their lifecycle.
The term SPDF is not that widely used but the core concept is relatively popular. In the computer programming and cybersecurity sector, for example, there’s the term Secure Software Development Framework (SSDF), which is designed to mitigate vulnerabilities affecting software and IT in general. It provides a set of practices organizations can incorporate into their software development lifecycle models to address threats affecting software.
SPDF, as outlined by the FDA guidance on medical devices, is similar to SSDF but it focuses on digital and connected devices used in healthcare. It entails the implementation of systematic practices to detect, identify, analyze, evaluate, control, and monitor existing, emerging, and potential risks affecting medical devices throughout their lifecycle. It aims to ascertain that the products made available in the market are safe and effective.
SPDF covers all aspects of a product’s lifecycle, from design to development, market release, customer support, and even decommissioning or end-of-life. It is an acknowledgment of the nature of digital medical devices nowadays, hence comprehensive risk management and rigorous testing are undertaken.
The risks affecting them are not limited to functional issues or security weaknesses that have been undetected upon market release. They can also be aggressively attacked by threat actors while being used and they can become instrumental in launching attacks if they are not decommissioned properly. Medical IoT devices that have been retired, for example, may serve as potential points of access or attack vectors. The sensitive information stored in them may also be exposed if their product’s end-of-life stage is not properly managed.
Cybersecurity transparency
Another important update in the 2023 FDA guidance is the recommendation for transparency in the cybersecurity of medical devices. Notably, conventional digital devices used in healthcare and other medical applications were not built with cybersecurity as a fundamental factor. They were developed to perform specific tasks to address medical problems, but they were not designed to detect, let alone resist, cyber attacks on them.
This is not to say that medical device makers never bothered about making their products secure. Many companies have already instituted cybersecurity solutions in response to the threats affecting their products. Some have implemented strict security testing protocols before releasing their products to the market. Others ensure that their devices can integrate with other systems, especially cybersecurity platforms, to make sure that they are covered by security visibility systems and that they can interoperate with security tools.
However, voluntary efforts can only go so far. Putting cybersecurity at the prerogative of businesses does not guarantee adequate and consistent protection. Worse, some companies put out false claims about the cybersecurity of their products. To address these concerns, the FDA is implementing cybersecurity transparency measures.
These transparency measures include the requirement for a vulnerability management plan and cybersecurity-specific labeling. The manufacturer vulnerability management plan requires device makers to present vital details as to how they manage the security weaknesses detected in their devices and what consumers can do. Meanwhile, the cybersecurity labeling requirement compels manufacturers to disclose vulnerabilities and indicate the proper security configuration of their devices. The security label helps consumers make sensible purchase decisions by providing all the relevant information they need to determine if a device is secure or if there are steps they need to take to protect their devices from cyber threats.
Documentation for Investigational Device Exemptions
The FDA is aware that imposing requirements can be restrictive. There are instances when medical device makers should be granted exemptions to pursue innovative development and clinical trials without being dragged down by various standards. As such, the regulatory body provides exemptions
Device manufacturers can submit an Investigational Device Exemption (IDE) application. An important part of this application is the need to provide an investigational plan, which should include details on a product’s cybersecurity features.
The required details include the Software Bill of Materials (SBOM), cybersecurity risks, security use case insights, and general labeling to indicate connectivity and associated risks. The FDA, however, notes that the approval of an IDE application does not rule out the possibility that the agency may raise more questions over the security of the approved products. The agency may provide recommendations for cybersecurity improvement while the products are being tested up to the point when the device is submitted for marketing authorization.
Additionally, separate documentation is needed pertaining to the scalability of medical devices’ security features. The volume of attacks on medical devices is steadily increasing, and so is their aggressiveness and sophistication. The FDA seeks to ensure that medical device makers are mindful of the threats and are well-versed in the proper courses of action to take. The exemptions for innovative developments and clinical trials should not get in the way of these necessities.
In conclusion
It has been nearly a decade since the last FDA guidance on medical devices, so the 2023 update may be a little late. Nevertheless, it is a welcome development for the healthcare industry, which has seen record highs when it comes to cyber attacks over the past few years. The three updates described above are important updates to existing medical device regulations. They may not cover everything, but they help advance medical devices toward better patient safety and device reliability.
Protection for the entire lifecycle of medical devices is a must in light of the current cyber threat situation. Likewise, it makes perfect sense to force medical device manufacturers to be transparent about their products’ cybersecurity and the mechanisms they have in place to ensure it. Additionally, stricter rules on documentary requirements are important to promote device security and manufacturer accountability.
