Cybersecurity is becoming an increasingly prominent concern for the FDA and the industries it regulates, but the latest draft guidance for premarket requirements for cybersecurity was not well received by device makers. However, the FDA also posted a notice on March 21 regarding cybersecurity related to several cardiology devices , a bit of bad news that gives the agency little leeway when it comes to tighter scrutiny.
The agency’s previous premarket cybersecurity guidance for medical devices was barely four years old when the FDA posted a new draft guidance in October 2018, a document that came with a five-month comment period. In the meantime, the agency held a two-day workshop to address cybersecurity, but shortly after the comment period on the 2018 draft closed, the FDA posted a safety communication for several models of implantable defibrillators and cardiac resynchronization devices. The agency said the affected units are associated with the use of a wireless telemetry protocol, which provides remote monitoring and allows clinician to make changes to the device’s settings. The telemetry device and software are alleged to lack encryption, authentication and authorization protocols, the FDA said, problems the manufacturer said it is working to address.
Cybersecurity Risk Framework Seen as Distracting
The October 2018 cybersecurity draft guidance proposed a two-tier cybersecurity risk framework that respondents to the docket said were impractical, given that they would seem to conflict with the underlying risk of the device. The draft guidance acknowledges that this approach “may not track to FDA’s existing statutory device classifications,” but said the two-tier cybersecurity risk framework is an attempt to align with cybersecurity standards published by the National Institute for Standards and Technology. That approach drew negative responses from several who commented to the docket, including the Medical Imaging & Technology Alliance (MITA) and the Advanced Medical Technology Association (AdvaMed), who said this approach would be cumbersome, confusing or both, particularly that the existing postmarket cybersecurity guidance does not feature this concept.
Another feature of this latest draft guidance is that it calls for a cybersecurity bill of materials (CBOM) to be provided with premarket applications. Brian Scarpelli with the Connected Health Initiative said the phrase “software bill of materials” (SBOM) is already in widespread use, and encouraged the agency to go with the SBOM moniker to avoid confusion. That position was echoed by MITA and AdvaMed, along with concerns as to whether an SBOM should include a listing of hardware and firmware along with software. MITA’s executive director, Patrick Hope, also said it is not clear whether the scope of the CBOM as described in the draft would be limited to known vulnerabilities, and the question of whether the terms of the draft would apply retroactively was also raised.
Other Agencies Involved, Possible Legal Liability
While the FDA is certainly in the lead among regulatory agencies when it comes to digital regulation and cybersecurity, there are other agencies that are pushing their own efforts along. Among these is Australia’s Therapeutic Goods Administration, whose December 2018 cybersecurity draft guidance is directed toward both pre- and postmarket considerations. The government of Singapore might feel compelled to jump on board the cybersecurity bandwagon in the near future as well, given that the Health Sciences Authority recently acknowledged in a press release that one of the agency’s vendors had not adequately protected a database with the records for hundreds of thousands of blood donors.
Regardless of where device makers stand on the FDA premarket draft guidance, it is clear that cybersecurity requirements across the globe will become both more commonplace, more stringent and more expensive to implement, particularly given that this is an area of liability law that has not yet been explored in the courts. However, the sponsors of at least one website dedicated to class-action lawsuits made it clear recently that they see cybersecurity lapses as fodder for liability claims.