FDA Finalizes Medical Device Cybersecurity Guidance: Major Step Forward

By the First Health Team

The Food and Drug Administration finalized its cybersecurity guidance for premarket medical device submissions, which outlines key recommendations for device design, labeling, and documentation as it relates to cybersecurity risks.

The release was timed with its October 1 deadline for medical device manufacturers; when the FDA will begin to “refuse to accept” medical devices and related systems for cybersecurity concerns.

Beginning next week, all new device submissions must include detailed cybersecurity plans for monitoring, identifying, and addressing, all post-market vulnerabilities and exploits through coordinated vulnerability disclosures and response plans, within a reasonable timeframe.

“Healthcare digital leaders face all manner of challenges. One that we could avoid is that of ‘friendly fire,’” said Buddy Hickman, First Health Advisory’s chief strategy officer.

The FDA update supersedes its 2014 “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” guidance and will support the recommended measures to “promote consistency, facilitate efficient premarket review, and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats.”

The release aligns with the recent NIST Cybersecurity Framework (CSF) 2.0, which added in a governance element to reflect the needed for broader transparency into the current state of threats. For biomedical engineering and medical devices, the added measures will ensure greater visibility for shared governance teams and board fiduciaries for needed actions, explained Hickman.

“Continual improvements of our other reliant frameworks and standards, including those supporting accreditation, should follow,” said Hickman.

To Toby Gouker, First Health Advisory’s chief security officer of Government Health, this latest guidance is a major step forward in the industry.

“Congratulations to the FDA for stating that: ‘ensuring device safety and effectiveness includes adequate device cybersecurity, as well as its security as part of the larger system,” said Gouker. “The emergence of the WannaCry threat and others exposed a true blind spot in healthcare delivery organization’s threat surface.

“The threat surface has continued to grow rather than shrink, without any new and clearer guidance from the FDA on new devices,” he continued.

The four tenants created from the FDA’s responsibility for Device Safety and Quality System Regulation will provide healthcare delivery organizations with much needed support in new device purchases and empower them to not accept the inherent risks posed when introducing new tech to the network, explained Gouker.

1. The recommendation of a Secure Product Development Framework will help manufacturers awareness of vulnerabilities and their severity as they select components for their new builds.

2. Security Objectives will help manufactures design security in from the start.

3. Transparency will be of great importance to healthcare delivery organizations and their supply chain functions. They will now be able to build the cost of securing a device into the initial acquisition cost as well as the full life cycle cost of their devices

4. Systems Approach for medical device evaluation will help build documentation on the devices larger cyber-impact on the connected systems As noted this summer by First Health’s Chief Security Officer of Clinical & Operational Security and Technology Matt Dimino, healthcare delivery organizations can leverage these new requirements when considering adding new devices to the network. Network defenders should update their contract language to reflect these requirements and make sure ensure to have controls and protection mechanisms in your contracts during device procurement.