Reactions to FDA Draft Cybersecurity Guidance

November 7, 2018

It’s not often that one can get excited reading draft regulatory guidance. However, our team was pleasantly surprised by the quality and quantity of specific and actionable cybersecurity recommendations in the US Food and Drug Administration (FDA) draft Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, published October 18, 2018.

We credit the FDA with acknowledging that there have been cybersecurity attacks that have affected the ability of providers and facilities to provide good and timely care to patients in healthcare facilities. The FDA also recognize some important distinctions. First, they note that “effective cybersecurity management is intended to decrease the risk of patient harm by reducing device exploitability which can result in intentional or unintentional compromise of device safety and essential performance.” They appear to target measures that will reduce “essential performance” – a theme that comes up several times in the guidance. Next, they created tiers of devices – one that present a high cybersecurity risk due to 1) connectivity to other devices or networks, and 2) vulnerability to harm patients, and another for devices of “standard risk”. Lastly, they provide specific actionable measures which companies should take to secure their devices.

The FDA’s recommendations

Some notable recommendations include:

  1. Cybersecurity Bill-of-Materials (C-BOM): Manufacturers must provide a C-BOM which includes lists of all open source and commercial software and hardware in a device, cross-referenced to the National Vulnerability Database (NVD). Any digital device is often built from hundreds of parts, both physical chips and software packages from third parties. This will, if implemented correctly, provide a way to know and track the composition of devices and identify vulnerabilities that may be introduced through the use of these.

  2. Recommendations for authentication & authorization, integrity protections, transport security, incident detection, and resilience that are in-line with industry best practices: To summarize without getting into too much technical detail, the FDA provides a set of specific and measurable parameters how devices should be built and secured. Many of these reflect the recommendations that our team makes to device manufacturers to secure their products; and while not all encompassing, they are a strong set of initial recommendations.

Concerns & Next steps

So what’s not to like? The recommendations seem well informed and appropriate. However, there are a few risks:

  1. First, this will not apply to all of the already approved devices; given replacement timelines for some of them, we expect a very long tail of insecure devices deployed in healthcare settings.

  2. Next, while broad reaching, there are going to be scope questions. For examples, computers on hospital networks will not be regulated under these rules, but a similar PC running Windows running an anesthesia information system (AIMS) may fall under these rules.

  3. Lastly, although our work focuses on helping companies secure their devices to standards such as the ones the FDA is proposing, it can be difficult, time consuming, and expensive. In some cases it will require hardware changes to device designs (e.g., to add processor or other chips which support the necessary levels of cryptographic and secure boot support). It is sometimes technically complex to create a full cybersecurity BOM, and today there are not enough experts in the US with the knowledge on how to actually secure devices effectively and integrate security into product design processes.

The difficulty is in no means a reason not to implement these rules. However, there will need to be careful consideration for devices which may nearing premarket submission for which benefit to patients may outweigh the potential risks. Unfortunately, models of cyber risk still lack the ability quantify this tradeoff. In the meantime, we hope that upcoming regulatory changes such as these put an emphasis on the need for training and deploying far improved cybersecurity practices.

We encourage you to contact us if you have any questions or comments based on this post, as we value your feedback and would be happy to discuss your specific questions.