Third time is a charm: US FDA reissues draft cybersecurity guidelines

After extensive stakeholder feedback, the U.S. Food and Drug Administration has decided that instead of finalizing a draft 2018 premarket cybersecurity guidance, it will reissue an all-new draft guidance with significant changes. . One of these changes is requiring manufacturers to provide a software bill of materials (SBOM) instead of a cybersecurity bill of materials (CBOM), which was a major sticking point for the medtech industry.

The FDA has released the draft guidelines titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissionson April 7. This follows a final premarket cybersecurity guideline published by the agency in 2014, then updated in a draft guideline in 2018. Cybersecurity: FDA sets out updated premarket policies and regulatory focusOctober 17, 2018).

After the release of the 2018 draft guidelines, the FDA received significant feedback from stakeholders through commentaries and at a public workshop that led regulators to decide that rather than making changes and finalizing the draft guidelines, it was better to draw up a new guideline.

Suzanne Schwartz, director of the Office of Strategic Partnerships and Technology Innovation at the Center for Devices and Radiological Health (CDRH), notes that the early guidelines were only 9 pages, while the latest guidelines are nearly 50 pages, which indicates how far the guidelines have evolved.

“The very first orientation in 2013/14 was fundamental. This put a stake on the ground in terms of the fundamentals that the FDA wanted to articulate to the industry around what we expected to incorporate cybersecurity into the design of new devices,” she said. Regulatory guidance. “We were really starting from a very rudimentary place to articulate these basic principles and recognizing even then that this was going to be a field with a good amount of iteration and evolution, and that we would see it again at some point. given in the future.”

Schwartz noted that subsequent draft guidelines provide much more granularity in terms of what the FDA has learned about cybersecurity best practices in the pre-market and post-market space, and what it wants to see in the product development.

“This new pre-market focus really raises the bar in technical detail, in the expectations that we have of manufacturers, so we’re not dealing with devices that have the same legacy challenges that we have today,” Schwartz said.

The early guidelines were comparatively much simpler and focused on a framework for the FDA, industry, healthcare providers, and other stakeholders to work together to develop new products with cybersecurity in mind. By comparison, the 2018 draft guidelines provided much more detail about what the agency wants to see in product applications and emphasized the need for sponsors to take a total product lifecycle (TPLC) approach. ) in terms of cybersecurity.

The latest iteration, however, adds to this by asking sponsors to think about cybersecurity in the context of the agency’s Quality System Regulations (QSR) and to consider using a Secure Product Development Framework (SPDF) to reach this goal.

“An SPDF encompasses all aspects of a product’s lifecycle, including development, release, support, and retirement,” the draft guidelines state. “Additionally, using SPDF processes during device design can avoid having to redesign the device when connectivity-based features are added post-market and distribution, or when vulnerabilities lead to uncontrolled risks are discovered.”

A key difference between the 2018 draft guidelines and the new one is that the FDA has decided to only require sponsors to provide a software nomenclature (SBOM) instead of a cybersecurity nomenclature (CBOM). While SBOMs focus on the types of software built into a device, CBOMs also need to consider the types of hardware that the industry believes would be significantly more cumbersome to list.

“Most of the vulnerabilities we’re going to encounter anyway will be software-related and we wanted to avoid perfect being the enemy of good here,” Schwartz said. “When we’re looking for a way to make impactful change, we achieve it with a software BOM and forgo the hardware part for now.”

Another big change from the previous draft guidelines is that the FDA removed the requirement that sponsors categorize their product into risk levels. According to Schwartz, the industry argued that as long as certain parameters were met, risk levels were not necessary.

“We have not made a distinction in terms of what must be provided as requested cybersecurity information in the pre-market process,” she noted. “We’ve put a lot more detail on what this documentation should look like in a pre-market submission and that’s inserted all the way through the instructions.”

Shwartz also notes that another key part of the new draft guidelines is that it aligns with President Joe Biden. May 2021 Executive Order to improve the United States’ cybersecurity posture. The command specifically focuses on protecting US infrastructure and industrial control systems from nation-state actors.

“This executive order made a very important point about the use of SBOMs and actually requiring SBOMs for government-purchased devices and we felt it was very important for us to align ourselves with this executive order as well,” said Schwartz said. .

Beyond the requirement for SBOM transparency, the guidelines also emphasize transparency by asking manufacturers to provide technical information such as manuals that healthcare providers can use to act quickly to patch the devices.

“A lack of cybersecurity information, such as the information needed to integrate the device into the usage environment, as well as the information needed by users to maintain the cybersecurity of the device throughout its lifecycle. life, can affect the security and effectiveness of a device,” the guide states. “To address these concerns, it is important that device users have access to information about the device’s cybersecurity controls. , potential risks and other relevant information.”

Specifically, the failure of guidance note sponsors to provide information on whether the device has undisclosed cybersecurity vulnerabilities or risks could degrade its effectiveness. He also notes that user manuals that don’t include enough information to explain how to set up or update the device securely can limit end users’ ability to protect it.

“What has been very clear to us is the importance of good communication and transparency in order to give healthcare organizations the tools and means by which they can also respond to cybersecurity issues. when they arise in the maintenance of devices on their networks and systems,” Schwartz said. “We want to make sure healthcare organizations have what they need to properly arm and protect their networks, and, ultimately, to protect devices and patients.”

The topic of medical device cybersecurity is also addressed in the user fee reauthorization bill currently before Congress. The FDA recently asked lawmakers to give it more power to require that cybersecurity considerations be built into medical devices in its budget request to Congress. On that note, Rep. Michael Burgess (R-TX) proposed exactly that in an addendum to the Medical Device User Fee Amendment Reauthorization Bill (MDUFA V). (Related: FDA Legislative Wish List Includes Device Cybersecurity, Generic Exclusivity Fix, and More, Regulatory Focus, April 4, 2022)

The new draft guidelines are open for comment for 90 days, after which the FDA will review comments and decide whether to make changes before issuing a final guideline, though Schwartz says the final guideline likely won’t be released this year.

“There are a lot of things that are totally out of our control in terms of compensation (the tips),” Schwartz said. “Apart from agency compensation, there are other levels of compensation that the guidelines must undertake and we have no way of being able to control that.”

She said, however, that the FDA hopes to disseminate the guidelines wherever possible, including through public places, and said people should stay tuned to find out what it will look like.

Stakeholders can comment on the new draft guidelines on under the file number. FDA-2021-D-1158 through July 7, 2022.

© 2022 Society of Regulatory Affairs Professionals.

Comments are closed.