Concerns Expressed about FDA Medical Device Security Guidance

The U.S. Food and Drug Administration (FDA) is assessing the responses to its draft guidance for medical device manufacturers, which it published in October 2018.

Over 40 groups and healthcare organizations submitted comments on the guidance entitled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices before March 18, the deadline for submitting comments. After reviewing the responses, the guidance will be updated and the final version will be released later this year.

The premarket review process requires medical device manufacturers to submit a ‘Cybersecurity Bill of Materials’ (CBOM) to the FDA. The CBOM must list the software and hardware that have vulnerabilities or are prone to vulnerabilities. The CBOM is intended to help healthcare companies evaluate and manage risk.

However, this was an area where many comments were received. While the requirement was praised by many groups, concerns were raised about including all hardware parts in the CBOM, as device manufacturers may not be able to provide that information. Including all hardware components and subcomponents would also result in an extensive list, containing hundreds of different parts. Hardware is also likely to be beyond device manufacturers’ control. Requests were made to only include software in the CBOM, and to change the name to Software Bill of Materials

The FDA has suggested a two-tier category of medical devices based on the level of cybersecurity risk. The first tier consists of devices that have a high cybersecurity risk, such as devices that connect to healthcare computer networks and devices that could possibly harm multiple patients in the event of a cyberattack. The second tier consists of devices with a typical level of cybersecurity risk.

A number of groups have sent in feedback requesting adjustments to this tiered system, such as giving up the two tiers and using a risk-based system or adding a third tier for devices that have a low cybersecurity risk. There were also suggestions made to change the definition of the tiers to include indirect harm that could be caused to organizations or patients and to incorporate privacy risks from the compromise of sensitive information.

CHIME recommends the FDA should change its definition of medical device risk to include all risks connected with medical devices. Medical devices may be employed as a platform to launch more attacks on a company and risks go well beyond the medical devices themselves. CHIME recommended the FDA ought to extend the meaning of risk to include hazards to the whole health IT environment.

CHIME additionally mentioned that a number of device manufacturers aren’t doing enough to deal with identified risks. For instance, the patch introduced to correct the vulnerability which WannaCry ransomware exploited in 2017 still hasn’t been applied to a lot of medical devices, as manufacturers categorize the vulnerability as a controlled risk. Device manufacturers are also not doing enough to deal with known vulnerabilities until a device recall is required by the FDA. CHIME said it should not be down to device manufacturers to decide if a risk is controlled or not.

CHIME additionally recommends that the FDA must be clear on the actions that medical device manufacturers need to take to deal with identified vulnerabilities to ensure that patient safety is not compromised and that there should be a requirement for a certification standard to be achieved, just as is the case for electronic medical record systems.