On June 14th, the FDA held a webinar to present the changes to the cyber security guidance and distribute the draft for comments and questions from industry. This is the first update since the last draft guidance which was released for comment in 2018 and remained only distributed for comment. FDA is continuing to refine their understanding of the true scope and risk which cybersecurity has on medical devices. Below are some highlights and lowlights) from the webinar.
1. When questioned about timelines and which guidance was to be used FDA confirmed the Final 2014 Version. The 2022 guidance contains at least three statements to notify readers that it is not yet the official guidance.
Figure 1: Header Note
Figure 2: Cover Page Note
Figure 3: Page One Pre-Introduction Note
2. 2022 draft updates title and expands scope with increased focus on:
- Quality System regulation and alignment with Secure Product Development Framework
- System/Product Lifecycle Maintenance (Periodic Software Updates and End of Life)
- Increased clarity on documentation recommendations for premarket submissions
- Remove tier-based approach to encourage all manufacturers to assess cybersecurity risk
3. Updates included for following areas:
- Security objectives for design and design recommendations
- Documentation Recommendations including Security Risk Management, Architecture, Testing
- End user transparency including labeling recommendations and vulnerability management plans
4. Nomenclature Changes:
- Cybersecurity Bill of Materials (CBOM) is now Software Bill of Materials (SBOM) which has recommended contents.
Opinion
The Good: The updates to this guidance continue to reflect the escalating importance of cybersecurity in patient protection, and our evolving understanding of its role in device safety, efficacy, data protection and availability. This includes looking out into the horizon and examining the future states of the device or system and its potential vulnerabilities. Manufacturers will need to go deeper into initial design risk analysis and look at threat paths which may come during the product’s useful life such as: peripheral connections, connected applications, future software/firmware updates, update portals and end of life/support for software components.
The Bad: This latest guidance from the FDA does not appear to be moving any closer to alignment with other more dominant risk management standards. Instead, the FDA seems to be viewing security risk management as distinct from safety risk management though they acknowledge they will feed into each other. Medical device manufacturers will need to continue to account for the multiple lenses through which global regulators will be reviewing their products with regards to cybersecurity.
The slides of the webinar Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions can be downloaded here.
The draft of the Cybersecurity Guidance (April 8, 2022) can be downloaded here.