FDA ramps up cybersecurity efforts with stricter guidance for devicemakers

Important things come on a quadrennial basis: leap years, presidential elections, the Olympics and, apparently, edicts from the FDA about the need for heightened cybersecurity measures to protect connected medical devices.

The agency’s latest draft guidance (PDF) on the subject arrived this week, following previous releases in 2018 and 2014. The FDA noted that regular revisions and updates are especially necessary when it comes to the topic of cybersecurity because of “the rapidly evolving landscape and the increased understanding of the threats and their potential mitigations,” as well as an increasing number of hacks targeting devices and healthcare providers.

The guidance—which is accepting comments until early July, when the FDA will begin finalizing its recommendations—revolves around four core principles: the idea that cybersecurity is a key part of overall device safety, the need for security elements to be embedded throughout a device’s design, the importance of transparency in disclosing cybersecurity measures and vulnerabilities and a mandate that all potential vulnerabilities be explored in the device’s regulatory application.

Taken together, the FDA said, “These recommendations can facilitate an efficient premarket review process and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats.”

To ensure all four of those central principles are present in a device’s development and eventual FDA submissions, the agency recommends devicemakers create and adopt a Secure Product Development Framework, or SPDF, which it describes as “a set of processes that reduce the number and severity of vulnerabilities in products throughout the device lifecycle.”

An SPDF should comprise a devicemaker’s risk management efforts, the security architecture of each of its devices and details of its cybersecurity testing.

In the first category, the FDA offered up a handful of suggestions for risk management tactics that can then be described in a premarket submission. They include modeling all potential threats to a device and performing a thorough assessment of all bugs, defects and other anomalies in a device’s software before submitting it for approval. The FDA also asks developers to include all third-party components in their cybersecurity risk assessments, ideally compiling a “software bill of materials” that would list every single component of a device to make it easier to pinpoint the source of any future vulnerability.

A device’s security architecture, meanwhile, “defines the system and all end-to-end connections into and/or out of the system,” per the FDA. By submitting that information during the premarket review process, the agency will be better able to assess its safety and weigh any potential hacking risks.

Finally, alongside the typical tests of a device’s ability to address a designated health issue, the FDA is also asking devicemakers to put their products through the cybersecurity gauntlet—and submit those results in the same vein as clinical trial documentation, spanning security requirements, threat mitigation efforts and vulnerability and penetration testing.

Since finalizing its first cybersecurity guidance for medical devicemakers in 2014, the FDA has been steadily strengthening its efforts to ward off cyberattacks.

In early 2021, for example, the agency named its first-ever director of medical device cybersecurity within the Center for Devices and Radiological Health. It tapped Kevin Fu, Ph.D., an associate professor and director of the Security and Privacy Research Group at the University of Michigan, to fill the role in an acting capacity.