+49 (0) 176 57694801 info@medsyscon.com
hanec015/shutterstock.com
20 Mar

FDA’s view on cybersecurity
Quality Management / Regulatory Consulting / Software Development

FDA’s view on cybersecurity

The rapid expansion of wireless, internet-connected, and networked medical devices has heightened cybersecurity concerns for manufacturers and developers. As technology evolves, regulators strive to update and maintain security standards to address emerging challenges. The U.S. Food and Drug Administration (FDA) has released several guidance documents aimed at addressing these cybersecurity issues.

Key FDA Guidance Documents

The FDA has issued the following guidance documents related to cybersecurity:

  • Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software (January 14, 2005)
  • Content of Premarket Submissions for Device Software Functions (June 14, 2023) – This document replaces the previous guidance from May 2005 concerning software content in medical device submissions.
  • Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (September 27, 2023) – This document supersedes the earlier guidance from October 2014 on managing cybersecurity in medical devices.
  • Postmarket Management of Cybersecurity in Medical Devices (December 28, 2016)

Threat Modeling and Legacy Device Risks

In November 2021, under the sponsorship of the using funds from the FDA. This playbook serves as a comprehensive resource for the medical device industry, illustrating how to develop effective threat models. Threat modeling is increasingly recommended by both public and private organizations as a proactive measure to manage cybersecurity threats and vulnerabilities.

In November 2023, MITRE published a white paper commissioned by the FDA titled Next Steps Toward Managing Legacy Medical Device Cybersecurity Risks. This document addresses the challenges associated with legacy medical devices, which were often designed with outdated cybersecurity measures that are now inadequate against modern cyber threats. The white paper offers strategies for addressing these evolving risks. Additionally, the FDA maintains an updated website to provide guidance on emerging cybersecurity concerns.

FDA’s Expectations for Cybersecurity in Premarket Submissions

In line with FDA cybersecurity requirements, the eStar template for 510(k) submissions involving software or devices with embedded software specifies several key elements, including:

  • Cybersecurity risks
  • Risk management report detailing separate, parallel and interconnected security risks in addition to the safety risk management process
  • Threat model – identifying methodology (e.g., STRIDE, Attack Trees, Kill Chain, DREAD)
    • Include Architecture Views (global system, multipatient harm, update ability/patch ability and security use case)
  • Cybersecurity risk assessment – using exploitability versus using probability for likelihood
  • Software Bill of Materials (SBOM), including software level of support and end of support date for each software component (e.g., OTS software)
    • Justification for any component where this is not available
  • Listing of supported operating systems and associated versions the device/system uses
  • Safety and security assessment of cybersecurity vulnerabilities in component software used by the device for all components in the SBOM
    • Description of controls that address the vulnerabilities
  • Assessment of any unresolved anomalies for cybersecurity impact
  • Data from monitoring cybersecurity metrics or justification where unavailable
  • Information on security controls categories:
    • Authentication controls
    • Authorization controls
    • Cryptography controls
    • Code, data and execution integrity controls
    • Resiliency and recovery controls
    • Firmware and software update controls
  • Architecture
  • Cybersecurity testing performed with test reports:
    • Security requirement testing
    • Threat mitigation testing
    • Vulnerability testing
    • Penetration testing
    • Third-party test reports with company assessment
  • Cybersecurity management plan
  • Patch timelines and cycles
  • Interoperability interfaces

Responsibility of Manufacturers

Medical device manufacturers are held accountable for the continuous safety and performance of devices throughout their lifecycle, regardless of whether the device functions as standalone software (SaMD) or as part of a larger system. The FDA emphasizes that manufacturers must actively monitor cybersecurity risks and implement corrective measures as necessary, following the requirements outlined in 21 CFR 820.100 for corrective and preventive actions.

Risk-Based Approach to Cybersecurity

FDA guidance from June 14, 2023, emphasizes the need for a risk-based approach to cybersecurity documentation, considering the likelihood of security breaches that could compromise device functionality. Furthermore, the FDA encourages manufacturers to develop detailed architecture diagrams to highlight potential cybersecurity risks and how they are mitigated.

Integrating Cybersecurity into the Quality System

The FDA’s September 27, 2023, guidance underlines that cybersecurity is an integral part of the device safety and quality system regulation. This includes risk analysis, design validation, complaint handling, corrective and preventive actions, and servicing. An effective Secure Product Development Framework (SPDF) should be implemented to proactively identify and minimize vulnerabilities throughout the device lifecycle.

Core Components of an Effective Cybersecurity Framework

An efficient cybersecurity framework should encompass the following aspects:

  • Designing for security – Confirming that security objectives for authenticity, authorization, availability, confidentiality and secure and timely updates and patches are provided, and that these are implemented throughout the device architecture.
  • Transparency – Information necessary to integrate the device into its use environment, as well as information necessary to maintain the cybersecurity of the medical device over its lifecycle must be sufficiently and effectively communicated to device users.
  • Submission documentation – Providing documentation to demonstrate assurance of safety and effectiveness, including cybersecurity information.
  • Security risk management – Distinct from risk management as described in ISO 14971, this focuses on harms that can occur due to compromise of the device’s security, taking into account the larger system within which the medical device operates. The FDA recommends implementing a risk management plan and report such as that described in AAMI TIR57.
  • Threat modeling – Identification of system risks, mitigations, and consideration of pre- and postmitigation of cybersecurity issues. This includes risks introduced in the supply chain, manufacturing, deployment, interoperability, maintenance and update activities and decommissioning.
  • Software Bill of Materials (SBOM) – Includes inhouse developed and third party-components with dependencies identified.
  • Security assessment of unresolved anomalies – The impact of anomalies on safety and effectiveness.
  • Total product life cycle security risk management
  • – Continuous update of control processes as new threats, vulnerabilities, assets or adverse impacts are discovered.
  • Security architecture – Defining the software, any internal and external connections, as well as any interactions. This includes information on how the system is secured and a demonstration that risks have been considered and are sufficiently controlled, giving assurance of the safety and effectiveness of the medical device system.
  • Cybersecurity testing – Showing threat mitigation, robust vulnerability testing and penetration testing.
  • Labeling to identify the relevant security information to users.

Applying Threat Modeling Techniques

The Playbook for Threat Modeling Medical Devices aligns with the Threat Modeling Manifesto, which highlights practical methods to improve security and privacy during development. Approaches such as STRIDE and attack trees are used to assess risks, while kill chains help disrupt potential cyberattacks before they escalate.

Adopting the NIST Cybersecurity Framework

Medical device manufacturers are encouraged to adopt the NIST Cybersecurity Framework, which follows the core principles of “Identify, Protect, Detect, Respond, and Recover.” The updated version 2.0, released in February 2024, emphasizes improved governance and supply chain risk management, as well as enhanced cybersecurity assessment and measurement practices.

FDA Requirements for Premarket Submissions

Manufacturers are required to demonstrate that they have implemented robust cybersecurity controls during device design and development. This documentation must be submitted as part of premarket applications to the FDA.

Post-Market Cybersecurity Responsibilities

Cybersecurity obligations extend beyond the point of sale. Manufacturers must remain vigilant and proactive in monitoring, assessing, and addressing cybersecurity risks after the device has been released to the market. FDA guidance calls for implementing robust post-market management processes in compliance with 21 CFR Part 820, including handling complaints and executing corrective and preventive actions.

Analyzing Exploitability and Severity

The FDA advises manufacturers to focus on the exploitability and severity of device vulnerabilities when conducting risk management. Traditional risk management frameworks may not effectively capture the nuances of cybersecurity risks, making it essential to utilize scoring tools like the Common Vulnerability Scoring System (CVSS) to quantify the risk levels.

Conclusion

Incorporating cybersecurity into medical device design, quality systems, and post-market processes is crucial for maintaining device functionality and patient safety. As connectivity and data exchange capabilities in medical devices expand, organizations must continuously implement and update robust cybersecurity measures. Utilizing FDA guidance and established risk management frameworks ensures that medical devices remain secure and operational in an increasingly digital healthcare landscape.

Topics: #healthcare #lifeSciences #medicaldevices #medtech #medicaltechnology #MedSysCon #AI #FDA #Guidance #Cybersecurity

For further information please get in touch with us:

www.medsyscon.com/en

info@medsyscon.com

+49-176-57694801