Due to the ubiquitous nature of software and networked devices in the medical industry, the impact of cybersecurity attacks is becoming more frequent and more severe. The WannaCry Ransomeware Attack is just one example of this global cybersecurity issue.

The FDA is responding to the need for stronger cybersecurity controls by issuing updated Draft guidance:

➤ [ Ссылка ]

The first four paragraphs of the introduction explain why we need this, and WannaCry is mentioned in the second paragraph of the background section. This new guidance is only a draft, but this is the FDA's third attempt at regulating the cybersecurity of medical devices. The first guidance was finalized in 2014. That's the 9-page guidance we currently have in effect. The guidance mentions risk 11 times and there is no mention of testing requirements or a bill of materials (BOM). The 2018 draft guidance (24-pages) met with resistance from the industry for a lot of reasons. One of the reasons mentioned by Suzanne Schwartz in an interview is the inclusion of a cybersecurity bill of materials (CBOM). The industry felt it would be too burdensome to disclose all of the hardware elements that are related to cybersecurity. Therefore, the FDA rewrote the 2018 draft and released a new draft on April 8, 2022 (49-pages).

You might have expected the FDA to soften its requirements in the face of resistance from industry, but the new draft does not appear to be less robust. It is true that the CBOM was replaced by a software bill of materials (SBOM). However, the SBOM must be electronically readable and it must include:

A. the asset(s) where the software resides;
B. the software component name;
C. the software component version;
D. the software component manufacturer;
E. The software level of support provided through monitoring and maintenance from the software component manufacturer;
F. The software component’s end-of-support date; and
G. Any known vulnerabilities.

I'm quite sure that the industry will view this as a hefty burden. After all, this is far more encompassing than UDI labeling was. I'm also quite sure that this much information will not fit on the "Splash Screen" for anyone's software application. Companies may provide documentation through the company website with a link in their software to that information. The format of the information could be in the "Manufacturer Disclosure Statement for Medical Device Security (MDS2)." However, the example I found for MDS2 was a 349-line item Excel Spreadsheet to be used as a checklist (i.e. quite a bit longer than the GUDID data elements spreadsheet).

Note: It took the FDA 8 years to complete the transition for the UDI Final Rule (i.e. 2013 - 2021).

The biggest impact of this new draft guidance may be the requirement for testing. The 2014 guidance has no testing requirement, the 2018 draft guidance mentioned testing 7 times in a few bullet points, but this new draft guidance mentions testing 43 times. The testing requirements for cybersecurity risk management verification include:

1. Security requirements
2. Threat mitigation
3. Vulnerability testing
4. Penetration testing

The penetration testing requirements include the following elements:

➤ Independence and technical expertise of testers,
➤ Scope of testing,
➤ Duration of testing,
➤ Testing methods employed, and
➤ Test results, findings, and observations.

Details on the content for security risk management plans and reports beyond those specifically identified can be found in AAMI TIR57:2016 - Principles for medical device security—Risk management. This guidance explains on page 13 (numbered 9) that "performing security risk management is a distinct process from performing
safety risk management as described in ISO 14971:2019."

The FDA also makes it clear that they expect companies to implement "design for cybersecurity" practices rather than relying solely on updates and patches to software. In the guidance, it states: "As cybersecurity design controls are established early in the development phase, FDA recommends that device manufacturers utilize the FDA Q-submission process to discuss with the agency design considerations for cybersecurity risk management throughout the device lifecycle."

As it states in the scope of the guidance, "This guidance applies to all types of devices within the meaning of 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C Act) whether or not they require a premarket submission. Therefore, the information in this guidance should also be considered for understanding FDA's recommendations for devices for which a premarket submission is not required (e.g., for 510(k)-exempt devices).

If this new guidance is finalized, the impact on the medical device industry will be profound.

свернуть