The U.S. Food & Drug Administration (FDA) has issued select updates to its premarket cybersecurity guidance, including who must comply, the types of devices covered by certain agency requirements, and recommendations on how to address related compliance must be documented in pre-marketing submissions.
WHY IT MATTERS
FDA said in thefederal register Wednesday that the proposed update to the final version “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” considers “the ability to connect to the Internet” as devices that, intentionally or unintentionally, can connect in any way – including at any point identified when evaluating the device threat surface and operating environment.”
Specifically, the FDA said in the new draft that it is considering devices that are Wi-Fi or cellular; network, server or cloud service provider connections; Bluetooth or Bluetooth Low Energy; radio frequency communications; inductive communication; and Ethernet and similar hardware connections that have the ability to connect to the Internet.
The required coordinated vulnerability disclosure may include:
- Coordinated disclosure of vulnerabilities and exploits identified by third-party entities, including third-party software vendors and researchers.
- Disclosure of vulnerabilities and exploits identified by the cyber device manufacturer.
- Manufacturer’s procedures for disclosing such vulnerabilities and exploits.
The agency suggested that the plans required under section 524B of the FD&C Act describe the timeline and associated justifications for developing and releasing required updates and patches.
That includes known unacceptable vulnerabilities “on a reasonably justified regular cycle,” as well as available patches for critical vulnerabilities that cause “uncontrolled risks to the device and related systems” as soon as possible outside the regular cycle.
The agency also recommends that manufacturers of covered devices “anticipate and make appropriate updates to these plans, as well as to the processes and procedures” as new information becomes available, such as when “new risks, threats, vulnerabilities, assets, or adverse impacts arise ”. discovered throughout the product life cycle,” the agency suggested.
Further, manufacturers should establish or update appropriate threat modeling documentation to maintain it throughout the lifecycle of the device, the agency said.
“Doing this allows manufacturers to quickly identify the impact of vulnerabilities as soon as a device is released and can also help meet Section 524B patch requirements,” the FDA said.
The deadline for public comment is May 13 and the draft can be downloaded from the FDA’s Digital Health Center of Excellence cybersecurity page.
THE BIG TREND
In the most recent final guidelines for pre-marketing submission of medical devices released in September, the FDA recommended further documentation on the constituent parts of cyber devices, as defined in section 524B, which addresses cybersecurity considerations “including but not limited to devices that have a device software function or that contain software – including firmware – or programmable logic” in the medical sector. premarket submissions for devices.
While the guidelines are voluntary and thus have sparked some discussion in the healthcare IT sector – as happened this week during a panel session on IT strategies for securing medical devices against cyber attacks at the HIMSS24 Conference and Exhibition in Orlando – the FDA has also come under scrutiny from the Government Accountability Office to strengthen cybersecurity oversight since it released final guidance.
After GAO reviewed medical device cybersecurity under the Consolidated Appropriations Act of 2023, it recommended that FDA and the Cybersecurity and Infrastructure Security Agency update their agencies’ medical device cybersecurity coordination agreement.
GAO noted in its report, released in December, that while the FDA is implementing new cybersecurity authorities, it has not yet identified the need for additional authority.
“They can take steps to help ensure device cybersecurity under existing authorities, such as monitoring health sector and CISA alerts, and directing manufacturers to communicate vulnerabilities to user communities and remediate the vulnerabilities,” the GAO said .
This week’s draft update aims to further inform software and device manufacturers on how to structure cybersecurity maintenance of medical and biological devices and component devices that are accessible online.
ON THE RECORD
“It is well established that if a device has the capability to connect to the Internet, it is possible for it to connect to the Internet, regardless of whether such connectivity was intended by the sponsor of the device,” the FDA said in the concept update. to section 524B of the FD&C Act.
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.