If followed by medical device manufacturers, experts said that the Food and Drug Administration’s long-awaited draft cybersecurity guidance released on Thursday will go a long way towards improving device security and patient safety.

The FDA draft guidance, which replaces a 2018 document, lays out a total product lifecycle approach to cybersecurity with recommendations for how medical device manufacturers should address security in premarket submissions and in order to maintain their software-based products postmarket.

“This is the finished product from the 2018 outline. They really polished it and have done a much better job on this document. That’s not to say it’s without its faults. It has them but it’s a much better document,” said Chris Gates, director of product security at medical device engineering firm Velentium.

While the FDA issued final cybersecurity guidance addressing premarket expectations in 2014 and complementary postmarket guidance in 2016, the agency makes the case in its latest draft guidance that rapidly evolving cybersecurity threats and hacker attacks on the healthcare sector warranted an “updated, iterative approach” to device security.

The agency’s 2022 draft guidance warns that growing and sophisticated “cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the U.S. and globally.”

Suzanne Schwartz, director of the Centers for Devices and Radiological Health’s Office of Strategic Partnerships and Technology Innovation at the FDA, told MedTech Dive the agency’s latest draft guidance underscores the “total product lifecycle nature of cybersecurity considerations with respect to medical device,” including premarket device submissions and deployment mitigations for older legacy devices that were not built with security in mind.

The FDA emphasizes that the contents of its 2022 draft guidance, which apply to devices that contain software including firmware or programmable logic, “do not have the force of law” and “should be viewed only as recommendations, unless specific regulatory or statutory requirements are cited.”  

While the FDA’s recommendations for premarket submissions are not requirements, those device manufacturers who choose an alternate approach “would have to really provide pretty solid, ample justification” as to why it satisfies the statutory requirements for meeting safety and effectiveness in quality system regulations, according to Schwartz.

“Where we have teeth here actually is manufacturers recognize that [following this guidance] is likely to be their best way to get a product on to the market,” Schwarts said. “Not following the guidance is going to create greater, probably, complexities or potential hardships as far as addressing questions that will come up. That means potentially delays.”

Velentium’s Gates contends that the FDA’s guidance represents “de facto requirements” and that if medical device manufacturers want to get through premarket approval they need to meet the agency’s cybersecurity expectations.

An AdvaMed spokesperson said the medtech lobby “is still reading through and evaluating” the FDA’s draft guidance and that “there is a process we take with our members before we reach the point of a public statement.”

The agency is accepting public comments on the guidance until July 7.

Mike Rushanan, director of medical security at consultancy Harbor Labs, contends that manufacturers currently in the pre-submission phase “will be scrambling” in light of the new document.

“The substance of the guidance will cause them to scrutinize their approach more, and they’ll need to perform a gap assessment to see where they have shortcomings,” Rushanan said.

Leave a Reply

Your email address will not be published. Required fields are marked *