Regulatory and standards bodies have been busy in the medtech cybersecurity space—from the U.S. Food and Drug Administration (FDA) releasing new draft premarket cybersecurity guidance, to the Health Sector Coordinating Council (HSCC) publishing model contract language to support Healthcare Delivery Organizations (HDOs) and Medical Device Manufacturers (MDMs) in jointly defining roles, responsibilities and expectations of each party in their relationships. These two efforts have the potential to significantly change—in most cases for the better—the development and manufacture of medical devices and technologies.
The first guidance from the FDA addressing cybersecurity needs for a premarket submission was released in 2014, then updated in 2018. The new 2022 version, entitled Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, which will supersede its predecessor once finalized, is currently in draft form and open for public review.
There also is pending legislation in progress, called the PATCH Act that, if passed, would effectively turn this FDA premarket guidance into premarket requirements impacting all new and legacy systems. This bill would formally make the FDA the single authority on medical device cybersecurity in the U.S. market, which is a needed step in ensuring safe and effective medical systems nationally and abroad.
With each iteration since 2014, FDA guidance has become more prescriptive in defining expectations and submission content. That said, the shift in 2018 pales in comparison to the impending monolithic changes proposed in 2022. Among other changes, the guidance will tie security into the total product development lifecycle and quality systems.
There are many improvements to mention here. The draft guidance builds upon the strong foundations laid out in its predecessor by increasing scrutiny into supply chain risk management, requirements for updateability and responsibility of fielded devices and recognizes the intersection of quality and cybersecurity. Overall, the guidance and pending legislation give the FDA the backing to set an international example for proper medical device cybersecurity regulation. Now we must wait to see whether or not they use this opportunity.
However, the updated guidance also applies some unworkable aspects to secure product development that are not founded in practical development practices. For example, requiring a machine-readable Software Bill of Materials (SBOM) as part of a medical device submission. This is a step in the right direction towards an era of formalized security risk assessment and communication of said risk to end users. However, the FDA’s proposed requirements for SBOMs do not fully conform to the NTIA standard, the de facto standard for SBOMs.
The impact this requirement would have on legacy systems is significant. The PATCH Act coupled with the latest FDA premarket guidance could drive numerous end-of-service announcements or withdrawals from the marketplace. Legacy systems are plagued with security issues, but they are also currently critical to ensuring availability of uninterrupted care and addressing medical needs during health crises, such as ventilator use during the current pandemic.
The guidance also seems to associate various activities with the incorrect development phase or process. For example, it includes threat-modeling aspects from design time in a testing section that should cover processes following design finalization.
There are several international standards, including multiple ISO/IEC regulatory standards and frameworks, that would align the U.S. stance on medical device cybersecurity with global trends and facilitate both greater adoptability by MDMs for the U.S. market as well as opportunity for commercialization into global markets. Because the current draft guidance does not harmonize to those, it could unnecessarily increase the burden on MDMs, both prior to commercializing their products within the U.S. and during the supported life of said products.
As a general principle, more stringent cybersecurity requirements are a good thing. But when security must be done to check a box—especially a redundant and/or impractical box—rather than to bring value to business or patient outcomes—this can be a step backwards in progress. Who will bear the cost burden associated with these potential impacts?
Fortunately, every MDM and HDO has the opportunity to influence the final guidance/requirements during the current review process by submitting comments and feedback. The comment period is open until July 7.
In contrast to what may seem like a grim start to this article, there are many recent changes and shining lights paving a path towards safer, more effective and more secure medical devices and systems. An example is the recent Model Contract-Language for Medtech Cybersecurity provided by the HSCC’s Cybersecurity Working Group, which includes both HDO and MDM leaders. The model language assists small-to-medium-sized HDOs and MDMs in formally communicating and agreeing on their responsibilities and roles in the secure procurement, deployment, operation and maintenance of medical devices throughout the entire lifecycle of a product.
Possibly the best aspect of the HSCC contract language is that it is immediately usable. The HSCC template provides a framework to follow and a templated baseline to start from, allowing these groups to communicate and formalize their relationship and shared responsibility for patient safety and efficacy in an actionable, easy to follow manner. The contract language is valuable and accessible.
As of the writing of this article, the model language has been downloaded more than 4,000 times since its release in March 2022. It was informed by a multi-year process of public review and feedback, ensuring adoptability and providing confidence in the content from experienced practitioners. MDMs and HDOs should start adopting this framework and language in their own policies, procedures and templates, and then continually improve the content per their use cases as they progress towards a mature cybersecurity model.
Following are five steps MDMs and HDOs can take to influence the short-term and long-term future of medical device cybersecurity for the benefit of their businesses and end users.
As recent years have demonstrated, the threats are real and lives are on the line. This is pushing regulatory and standards bodies to scrutinize and revamp medical device cybersecurity. Old justifications or business reasons for security gaps are obsolesced. We need robust medical device cybersecurity, but we need it in a manner that is workable by both MDMs and HDOs. Collectively, we can influence the next generation of regulations and standards driving medical device cybersecurity, ultimately saving and bettering lives while improving the practices of HDOs and MDMs everywhere.