April 21, 2022
On April 8, the Food and Drug Administration issued draft guidance titled "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions." This updated draft guidance replaces the agency's 2018 draft guidance of the same name and, when finalized, will supersede their 2014 guidance titled "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices." In releasing this guidance, the FDA emphasized the need for effective cybersecurity to ensure that medical devices are safe in a time where many of these devices are connected to the internet and facilitate the electronic exchange of important health information. The updated draft guidance is intended to address changes in the technological landscape as well as the FDA's increased understanding of potential cybersecurity threats and mitigation tactics that can be deployed throughout the total product life cycle (TPLC) of a device.
The 2022 draft guidance differs from its predecessors in that it places a greater importance on making sure medical devices are designed securely and in such a way that they can mitigate emergency cybersecurity risks throughout a device's total product life cycle (TPLC). The guidance also clarifies and expands upon the FDA's recommendations for premarket submission information to address cybersecurity concerns. There are four general principles for device cybersecurity discussed in the updated guidance, titled as follows: "Cybersecurity is Part of Device Safety and the Quality System Regulations," "Designing for Security," "Transparency," and "Submission Documentation."
There is also a specific emphasis placed on the utilization of Secure Product Development Frameworks (SPDF's) to manage cybersecurity risks that are inherent to medical devices. According to the FDA, an SPDF is "a set of processes that help reduce the number and severity of vulnerabilities in products." These frameworks cover all aspects of a product's life cycle and can prevent devices from needing to be re-engineered when connectivity-based features are added post distribution or after vulnerabilities are discovered. An SPDF can also be used as one way to adhere to the Quality System Regulation (QSR) requirements located at 21 C.F.R. Part 820. While the utilization of an SPDF is not the only approach that manufacturers can take to satisfy premarket submission requirements, the FDA believes that it is an effective method to manufacture and maintain devices that are safe, effective, trustworthy, and resilient. To assist manufacturers in implementing these frameworks, the guidance gives recommendations regarding the ways they may be created and used, how they complement the QSR requirements, and the documentation that should be submitted for review as part of premarket submissions.
The issuance of this draft guidance signals a growing necessity for cybersecurity in the medical space. In recent weeks, legislation has been introduced to the Senate and the House of Representatives that aims to increase medical device security by adding certain cybersecurity and monitoring requirements for manufacturers.
The full text of the updated draft guidance is available on the FDA's website, fda.gov. Those wishing to submit comments should visit the guidance's webpage and either submit a comment online by clicking "Submit Comments Online" or submit a written comment via mail to the address provided. Comments must be submitted by July 7, 2022.
James F. Henry is a partner with Phelps where he helps healthcare providers comply with the law and achieve their business goals.