FDA Issues Cybersecurity Premarket Guidance

Posted October 22, 2018

In an effort to stay “a step ahead” of cybersecurity vulnerabilities, the Food and Drug Administration (FDA) has issued a draft guidance to help manufacturers incorporate cybersecurity best practices into their medical devices and address threats before entering the market.

“Cybersecurity threats and vulnerabilities in today’s modern medical devices are evolving to become more apparent and more sophisticated, posing new potential risks to patients and clinical operations,” said FDA Commissioner Scott Gottlieb, in a statement. “[The] draft premarket cybersecurity guidance provides updated recommendations for device manufacturers on how they can better protect their products against different types of cybersecurity risks, from ransomware to a catastrophic attack on a health system.”

Crucially, the draft guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, recommends that premarket submissions include a “cybersecurity bill of materials” detailing the software and hardware components of a device that are susceptible to cyberattacks.

In a recent post on the AAMIBlog, cybersecurity expert Ken Hoyme, director of product security at Boston Scientific, considered the utility of a software bill of materials when facing a cybersecurity threat such as the 2017 WannaCry ransomware attack.

“This event highlighted the challenges of managing a set of ‘black box’ systems, where the software content in them is relatively unknown,” wrote Hoyme, adding that “knowing the software content of a device can help in assessment of the security risk it may bring.”

The FDA’s draft guidance, which updates a 2014 guidance document, provides design recommendations based on the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity. It splits medical devices into two levels of risk categories—higher security risk (Tier 1) and standards security risk (Tier 2)—based on the level of potential harm to patients. It encourages the creation of “trustworthy” devices, defined in part as those that are “reasonably secure from cybersecurity intrusion and misuse” and “provide a reasonable level of availability, reliability, and correct operation.”

 “In particular, devices and systems should be designed to protect assets and functionality in order to reduce the risk of multi-patient harm due to the loss of authenticity, availability, integrity, and confidentiality,” The FDA wrote in the guidance document.

The draft guidance outlines what documentation manufacturers should include in their premarket submissions to demonstrate that their device has mitigated cybersecurity risks. Premarket submissions for Tier 1 devices should include documentation demonstrating that the device’s design and risk assessment incorporate the FDA’s design controls that are detailed in the guidance document. This includes methods to limit access to trusted users, authentication of safety-critical commands, maintaining data integrity and confidentiality, detecting and responding to cybersecurity events, and adhering to labelling recommendations for devices with cybersecurity risks.

Tier 2 devices may instead include an explanation for why the draft guidance’s design controls are not appropriate for the device.

Premarket submissions should also include design documentation demonstrating that the device is trustworthy in addition to risk management documentation, based on the recommendations of the technical information report AAMI TIR57, Principles for medical device security—Risk management, although “similar forms of documentation are also acceptable.” According to the FDA, the security risk management report for a trustworthy device would include: 

  • A system-level threat model
  • A specific list of all cybersecurity risks that were considered in the device’s design
  • A list and justification of all cybersecurity controls established in the device, including risk mitigations
  • A description of the testing done to ensure the adequacy of cybersecurity risk controls (including performance testing, vulnerability scanning, penetration testing, etc.)
  • A traceability matrix linking cybersecurity controls to the risks outlined in a security risk and hazard analysis
  • A software bill of materials that is cross-referenced with the National Vulnerability Database or a similar known database, including criteria for addressing known vulnerabilities or a rationale for not addressing known vulnerabilities.

The FDA will hold a public workshop at its White Oak, MD, headquarters on Jan. 29–30 to discuss the draft guidance, the cybersecurity bill of materials, associated cybersecurity topics. The FDA is also accepting comments on the draft guidance at www.regulations.gov until March 18.