The Shifting Sands of Medical Device Cybersecurity Regulation

By Garrett Schumacher
June 15, 2022


• Categories: 01-Digital Health, 05-Quality/Regulatory, Cybersecurity, Regulatory

Regulatory and standards bodies have been busy in the medtech cybersecurity space—from the U.S. Food and Drug Administration (FDA) releasing new draft premarket cybersecurity guidance, to the Health Sector Coordinating Council (HSCC) publishing model contract language to support Healthcare Delivery Organizations (HDOs) and Medical Device Manufacturers (MDMs) in jointly defining roles, responsibilities and expectations of each party in their relationships. These two efforts have the potential to significantly change—in most cases for the better—the development and manufacture of medical devices and technologies.

The FDA’s New Deal on Medical Device Cybersecurity

The first guidance from the FDA addressing cybersecurity needs for a premarket submission was released in 2014, then updated in 2018. The new 2022 version, entitled Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, which will supersede its predecessor once finalized, is currently in draft form and open for public review.

There also is pending legislation in progress, called the PATCH Act that, if passed, would effectively turn this FDA premarket guidance into premarket requirements impacting all new and legacy systems. This bill would formally make the FDA the single authority on medical device cybersecurity in the U.S. market, which is a needed step in ensuring safe and effective medical systems nationally and abroad.

With each iteration since 2014, FDA guidance has become more prescriptive in defining expectations and submission content. That said, the shift in 2018 pales in comparison to the impending monolithic changes proposed in 2022. Among other changes, the guidance will tie security into the total product development lifecycle and quality systems.

There are many improvements to mention here. The draft guidance builds upon the strong foundations laid out in its predecessor by increasing scrutiny into supply chain risk management, requirements for updateability and responsibility of fielded devices and recognizes the intersection of quality and cybersecurity. Overall, the guidance and pending legislation give the FDA the backing to set an international example for proper medical device cybersecurity regulation. Now we must wait to see whether or not they use this opportunity.

However, the updated guidance also applies some unworkable aspects to secure product development that are not founded in practical development practices. For example, requiring a machine-readable Software Bill of Materials (SBOM) as part of a medical device submission. This is a step in the right direction towards an era of formalized security risk assessment and communication of said risk to end users. However, the FDA’s proposed requirements for SBOMs do not fully conform to the NTIA standard, the de facto standard for SBOMs.

The impact this requirement would have on legacy systems is significant. The PATCH Act coupled with the latest FDA premarket guidance could drive numerous end-of-service announcements or withdrawals from the marketplace. Legacy systems are plagued with security issues, but they are also currently critical to ensuring availability of uninterrupted care and addressing medical needs during health crises, such as ventilator use during the current pandemic.

The guidance also seems to associate various activities with the incorrect development phase or process. For example, it includes threat-modeling aspects from design time in a testing section that should cover processes following design finalization.

There are several international standards, including multiple ISO/IEC regulatory standards and frameworks, that would align the U.S. stance on medical device cybersecurity with global trends and facilitate both greater adoptability by MDMs for the U.S. market as well as opportunity for commercialization into global markets. Because the current draft guidance does not harmonize to those, it could unnecessarily increase the burden on MDMs, both prior to commercializing their products within the U.S. and during the supported life of said products.

As a general principle, more stringent cybersecurity requirements are a good thing. But when security must be done to check a box—especially a redundant and/or impractical box—rather than to bring value to business or patient outcomes—this can be a step backwards in progress. Who will bear the cost burden associated with these potential impacts?

Fortunately, every MDM and HDO has the opportunity to influence the final guidance/requirements during the current review process by submitting comments and feedback. The comment period is open until July 7.

HSCC Models the HDO and MDM Relationship Contract

In contrast to what may seem like a grim start to this article, there are many recent changes and shining lights paving a path towards safer, more effective and more secure medical devices and systems. An example is the recent Model Contract-Language for Medtech Cybersecurity provided by the HSCC’s Cybersecurity Working Group, which includes both HDO and MDM leaders. The model language assists small-to-medium-sized HDOs and MDMs in formally communicating and agreeing on their responsibilities and roles in the secure procurement, deployment, operation and maintenance of medical devices throughout the entire lifecycle of a product.

Possibly the best aspect of the HSCC contract language is that it is immediately usable. The HSCC template provides a framework to follow and a templated baseline to start from, allowing these groups to communicate and formalize their relationship and shared responsibility for patient safety and efficacy in an actionable, easy to follow manner. The contract language is valuable and accessible.

As of the writing of this article, the model language has been downloaded more than 4,000 times since its release in March 2022. It was informed by a multi-year process of public review and feedback, ensuring adoptability and providing confidence in the content from experienced practitioners. MDMs and HDOs should start adopting this framework and language in their own policies, procedures and templates, and then continually improve the content per their use cases as they progress towards a mature cybersecurity model.

How HDOs and MDMs Can Proactively Prepare for the Future

Following are five steps MDMs and HDOs can take to influence the short-term and long-term future of medical device cybersecurity for the benefit of their businesses and end users.

• MDMs can begin to prepare for this transition towards more regulated requirements by evaluating their internal development procedures, policies and practices, and implementing cybersecurity best practices into their quality management systems (QMS), full product development lifecycle, and organizational infrastructure and information systems.
• HDOs can push for secure medical devices by requiring information sharing from MDMs and requiring cybersecurity to be involved in the pre-procurement and procurement processes. HDO expectations can greatly influence MDM adoption and marketing, especially when it comes to cybersecurity.
• The HSCC’s model contract language is an example of a useful tool for informing how HDOs and MDMs can adapt to changing regulatory, commercial and threat landscapes. Identifying and applying such usable and valuable tools is an effective and efficient way of bolstering cybersecurity capability and maturity. Participating in Health Information Sharing and Analysis Centers (H-ISAC) and other similar groups can assist in properly doing so.
• MDMs and HDOs can immediately impact this regulatory environment by providing their candid and well-considered comments to the FDA and other bodies when they request comments and feedback on the content they produce. The FDA guidance is still in draft form and, as mentioned above, feedback is being requested through July 7. While the final solution will likely not be implemented as a final guidance or requirements for another 12 to 18 months (our best guess, based upon prior releases of similar regulations), now is the chance to improve and drive the final FDA guidance towards a valuable and workable solution that ensures safe and effective medical products based upon real-world input and experience.
• The HSCC also continually requests comments and feedback on its model contract language and framework, so be sure that any lessons learned along your organization’s path to maturity in cybersecurity are shared with others in the community, as well.

As recent years have demonstrated, the threats are real and lives are on the line. This is pushing regulatory and standards bodies to scrutinize and revamp medical device cybersecurity. Old justifications or business reasons for security gaps are obsolesced. We need robust medical device cybersecurity, but we need it in a manner that is workable by both MDMs and HDOs. Collectively, we can influence the next generation of regulations and standards driving medical device cybersecurity, ultimately saving and bettering lives while improving the practices of HDOs and MDMs everywhere.