FDA seeks more power for medical device cybersecurity mandates
- FDA is seeking “additional legislative authorities” meant to bolster medical device cybersecurity amid growing ransomware and other cyberattacks on healthcare organizations, according to Suzanne Schwartz, director of CDRH’s Office of Strategic Partnerships and Technology Innovation.
- The agency wants to require medtechs upfront, as part of a premarket submission, to have a Software Bill of Materials (SBOM) and the capability to update and patch device security into a product’s design. In addition, FDA wants new postmarket authority to require that manufacturers adopt policies and procedures for coordinated disclosure of cybersecurity vulnerabilities as they are identified.
- Schwartz told MedTech Dive the requirements are in line with FDA’s 2018 Medical Device Safety Action Plan, which laid out the agency’s cyber roadmap for “modern enhancements” to its oversight that would apply throughout the product lifecycle of devices. FDA’s legislative proposal would codify these requirements for device companies. SBOM, which was included in an executive order signed in May by President Joe Biden to bolster the nation’s cybersecurity posture, is not a current premarket requirement but Schwartz said it’s critical to provide a shared inventory of third-party components in devices.
Faced with a tsunami of cyberattacks on hospitals and health systems, FDA wants to make the strengthening of medical device cybersecurity a top priority. However, currently there is no statutory requirement, pre- or postmarket, that expressly compels medical device manufacturers to address cybersecurity.
That’s where FDA will need the help of Congress to grant it the additional legislative authorities needed to advance medical device safety by ensuring the agency and the public have critical information about the cybersecurity of devices.
Kevin Fu, CDRH’s acting director of medical device cybersecurity, in late June told MedTech Dive the HHS FY21 budget justification describes FDA’s proposed plans for SBOM, an electronically readable format designed to provide an inventory of third-party components in devices, and other provisions to better safeguard them against new and emerging cyber threats.
Fu said one of the biggest cyber challenges is defending older medical devices against hackers and that FDA wants to require timely updates and patches for legacy devices.
“FDA seeks to require that devices have the capability to be updated and patched in a timely manner; that premarket submissions to FDA include evidence demonstrating the capability from a design and architecture perspective for device updating and patching,” Fu said.
The agency’s proposal also includes a “phased-in approach” to SBOM, a “list that includes but is not limited to commercial, open source, and off-the-shelf software and hardware components that are or could become susceptible to vulnerabilities,” according to Fu.
Schwartz emphasized the importance of making SBOM a requirement for medtechs, arguing widespread availability of this electronic inventory of third-party components in devices will make it easier for government and the private sector to know if they are affected by potential vulnerabilities and enable timely postmarket mitigations.
“It doesn’t help for [SBOM] to be held only within the manufacturer’s records but rather where the opportunity for the mitigation of risk is with that transparency,” Schwartz said. “Hospitals, healthcare facilities, providers and patients should have awareness of SBOM and that requirement is something we are working towards with respect to a future legislative proposal.”
Schwartz also indicated that FDA is developing an overall framework for consistent communication of medical device vulnerabilities. In particular, she noted the importance of medical device companies publicly disclosing when they learn of a cybersecurity vulnerability so users know when a device may be vulnerable and to provide direction to customers to reduce their risk.
FDA wants to have a new postmarket authority to require that medtechs adopt policies and procedures for coordinated disclosure of vulnerabilities as they are identified. Coordinated vulnerability disclosure (CVD), which is currently in the agency’s postmarket guidance, is a core principle for helping hospitals to “be better prepared and have the tools in place to address issues that arise,” according to Schwartz.
However, Schwartz made the case that requiring CVD as part of additional legislative authorities “levels the playing field, right now it is more voluntary.” While there are some medtechs that already participate in coordinated vulnerability disclosures, she said it’s a small percentage of the medical device industry that currently does so as a best practice.
When it comes to premarket submissions, Schwartz also said medtech companies are falling short when it comes to appropriate threat modeling and testing needed to assess the adequacy of medical device security. Manufacturers must include security controls into the designs of their devices based on “rigorous and methodologically sound” threat models that take into consideration all potential cyber risks from hackers, according to Schwartz.
Part of the additional legislative authorities that FDA is seeking is that premarket submissions must include evidence demonstrating the capability, from a design and architecture perspective, for device updating and patching.
“Right now, under our current construct of how we review for premarket submissions, it’s certainly not explicitly called out that we can require that demonstrable evidence by manufacturers, so we want it to be very crystal clear as we go forward,” Schwartz concluded.