Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The U.S. Food and Drug Administration (FDA) issued updated draft guidance, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” which aims to help industry take a more holistic approach to managing cybersecurity, starting in the design and development of their medical devices, and relatedly flags those documents that it recommends be developed and included in device premarket submissions. Below we analyze how the April 2022 draft guidance differs from its October 2018 predecessor, including that it recommends a Secure Product Development Framework (SPDF) to satisfy Quality System Regulation (QSR) requirements with detailed recommendations on how to address cybersecurity as a component of design controls (including an emphasis on robust threat modeling as part of risk assessment), promotes inclusion of a Software Bill of Materials (SBOM) with all new products, and removes the requirement that sponsors categorize their product into risk tiers. FDA is requesting comments on the draft guidance, with a deadline of July 7.
In June 2013, FDA issued the brief draft guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” finalized in 2014. In 2018, FDA proposed substantial updates to the 2013-14 guidance, and issued a draft guidance of the same name, which we summarized online here. Meanwhile, the final guidance “Postmarket Management of Cybersecurity in Medical Devices” (“Postmarket Cybersecurity Guidance”) issued in 2016 was complementary to the 2018 premarket guidance, and remains in effect.
The 2022 draft guidance analyzed herein replaces the 2018 draft version, and adds significant discussion intended to further emphasize the importance of ensuring that devices are designed securely, enabling emerging cybersecurity risks to be mitigated throughout the device’s Total Product Lifecycle (TPLC). Additionally, throughout the document, the agency reiterates that the risk management work per ISO 14971 may reach a different and contrary conclusion to the cybersecurity risk assessment of vulnerabilities and while these two types of activities are inherently related, they should be dealt with as distinct. The updated draft guidance also aims to outline FDA’s recommendations more clearly for premarket submission content to address cybersecurity concerns. Announcing the draft guidance, FDA noted that regular revisions and updates are especially necessary when it comes to the topic of cybersecurity because of “the rapidly evolving landscape and the increased understanding of the threats and their potential mitigations,” as well as an increasing number of hacks targeting devices and health care providers. FDA’s view in this regard is in line with how regulators in other sectors are increasingly highlighting the evolving cyber threat landscape as requiring more nimble approaches to both industry guidance and regulatory oversight.
The general principles put forth in the draft guidance comprise an acknowledgement that cybersecurity is part of device safety and the QSR, which require a medical device manufacturer to establish and maintain procedures for developing and validating a device’s design. These QSR expectations include software validation and risk analysis, which FDA says are key elements of cybersecurity analyses and demonstrating whether a connected device has a reasonable assurance of safety and efficacy.
New in the 2022 draft guidance, FDA focuses on the ability of a SPDF to satisfy QSR requirements. FDA describes an SPDF as “a set of processes that reduce the number and severity of vulnerabilities in products throughout the device lifecycle.” The SPDF should comprise a device maker’s security focused risk management efforts, as well as development of a robust security architecture of each of its devices from various points of views including “all end-to-end connections into and/or out of the system” and performing cybersecurity testing, such as definition of security requirements, threat mitigation, vulnerability testing, and penetration testing according to the draft guidance. For example, the updated draft guidance includes a new subsection emphasizing FDA’s expectations around threat modeling as a key component of overall security risk management, building on FDA’s prior statements that this is a point of emphasis in premarket review.
The guidance makes clear FDA’s expectation that a device maker’s security risk management efforts be documented and described in a premarket submission. FDA says it will be better able to assess its safety and weigh any potential hacking risks if this information is submitted to the agency during the premarket review process. Many elements of the updated draft guidance track the types of questions FDA was increasingly asking during premarket review, and thus the guidance may help other companies better anticipate how FDA will evaluate cybersecurity and create the corresponding types of documentation to reduce or avoid delays in premarket review.
The 2022 draft guidance also includes a new recommendation that manufacturers include a Software Bill of Materials (SBOM) with all new products that gives users information on the various elements that make up a device. An SBOM includes both the device manufacturer developed components and third-party components (including purchased/licensed software and open-source software), and the upstream software dependencies that are required/depended upon by proprietary, purchased/licensed, and open-source software. An SBOM encompasses all software components (licensed, developed, or accessed remotely) that are required for a device to function throughout all phases of its life cycle, including development, release, support, and decommissioning.
This recommendation to include a SBOM replaces the suggestion to include a Cybersecurity Bill of Materials (CBOM), which was an arguably more onerous requirement, given that a CBOM must also take into consideration the types of hardware that could become susceptible for vulnerabilities. The creation of CBOM has been a matter of some controversy within industry due to the burdens associated with creating such a document and the amount of disclosure that would be required.
Beyond requiring SBOMs for transparency, the guidance puts significant emphasis on providing transparency by asking manufacturers to provide technical information, such as manuals that health care providers can use to do their part to manage device security and also act quickly to patch devices when needed. FDA also makes clear that the SBOM needs to be maintained as a part of a company’s configuration management and be regularly updated, and suggests that it should be part of a design history file and design master record. FDA, in the guidance, identifies the information to support the SBOM that should be submitted to FDA in premarket submissions and also notes that it will accept SBOMs that conform to industry standards.
As a major component of FDA’s desire for transparency, the agency provides detailed recommendations for labeling and especially where cybersecurity risk management is transferred to the user (consistent with the agency’s recognition that effective cybersecurity management is a shared responsibility among stakeholders throughout the use environment of medical device systems, including health care facilities, patients, health care providers and manufactures of medical devices). Also consistent with its broader TPLC view, FDA recommends that manufacturers establish a plan for how they will identify and communicate vulnerabilities, refers to the Postmarket Cybersecurity Guidance, and also recommends that companies plan for the possibility that third party software that is integrated into the device may reach obsolescence by suggesting that companies may want to include provisions in licensing agreements at the outset to secure rights to software code should that occur.
Despite the 2022 draft guidance being significantly lengthier than its 2018 predecessor, FDA has removed the requirement that sponsors categorize their medical device into cybersecurity risk tiers (although we note that software level of concern analyses are still required under separate FDA guidance). In place of this discussion, FDA added into the 2022 draft guidance substantial explication of how that documentation should look like in a premarket submission.
This guidance goes into much greater depth on how to address cybersecurity in the design and development of software products than before and ties the resulting design control documentation to that which FDA recommends be submitted in premarket submissions. Additionally, it more explicitly identifies and describes the types of analysis and records the agency expects to be created to specifically address cybersecurity, which does not supplant a company’s normal design control risk management processes, but rather should be viewed as supplementing it. In FDA’s view, this level of detail should help companies better align their design control process with its processes for evaluating software security risk and generating records that will meet FDA expectations for cybersecurity management and also be suitable for submission in a premarket submission. The length and amount of detail provided in the guidance is helpful, but may well also pose challenges to some companies; particularly those who are fairly far along in the development of their product. As FDA has been abundantly clear in recent years, cybersecurity needs to be baked in, not bolted on—but some companies may have no choice but to do more of both to address FDA’s new guidance with devices already in the pipeline.
In March, U.S. Rep. Michael Burgess (R-TX) introduced before Congress the “Protecting and Transforming Cyber Health Care Act of 2022” (PATCH Act, H.R. 7084), which aims to enhance medical device security by requiring manufacturers to have a plan for monitoring and addressing postmarket cyber exploits, among other measures. Later in March, U.S. Sens. Bill Cassidy (R-LA) and Tammy Baldwin (D-WI) introduced the same legislation in the Senate. We will continue to monitor these proposed measures and keep you apprised of any changes.
FDA is seeking comments on the draft guidance through July 7, 2022. If you have any questions on the draft guidance, on cybersecurity concerns more generally, or may wish to submit a comment, please contact any of the authors of this alert or the Hogan Lovells attorney with whom you generally work.
Authored by Jodi K. Scott, Kelliann Payne, Paul Otto, and Randy Prebula