The FDA’s Updated Premarket Guidance Demonstrates a Shift in Cybersecurity Best Practices
Cybersecurity has been a top priority for the healthcare community in recent years, because of the significant upsurge in utilizing wireless, internet- or network-connected medical devices and because of the increased number of cybersecurity attacks aimed at healthcare systems and hospitals across the country.
Those attacks are a primary reason the U.S. Food and Drug Administration (FDA) released an updated draft this past October of its premarket guidance concerning medical device cybersecurity, says Terry Moon, senior director of strategic sourcing for HealthTrust.
“I believe this was a reaction from the FDA,” Moon explains. “If some of those high-profile cybersecurity vulnerabilities on certain medical devices had not been breached, the FDA would have most likely kept the previous 2014 guidelines in place.”
In addition to specifying what information medical device manufacturers should gather prior to submitting new products for FDA review, the FDA’s updated guidance also includes recommendations for manufacturers on how to assess cybersecurity in the development and review of their premarket products. The latter could prove especially useful if an issue with the device were to arise, as this could speed how quickly the problem could be identified and resolved.
Marc Sammons, director of strategic sourcing for HealthTrust, says the FDA’s shift in tone was what first struck him when reviewing the updated guidelines. “When it comes to medical device security, the reflex is to refer to the FDA’s guidance,” Sammons explains. “So the fact that the FDA is weighing in on cybersecurity recommendations is positive. This will be helpful when it comes to changing the industry by recognizing that many of these medical devices have to go through a number of different steps to even be approved.”
According to Moon, the guidance suggests the FDA is listening to the hospital systems that have been crying for help.
“They haven’t had the kind of power or influence to demand change from medical device OEMs [original equipment manufacturers]. So, there seems to be a good alignment between what our members want and what the FDA is suggesting is the right thing to do,” he says.
Another striking distinction between the updated guidance and the 2014 version is that the newer version requires manufacturers of internet-connected medical devices to provide customers with a Cybersecurity Bill of Materials (CBOM). Essentially, a CBOM would require manufacturers of internet-connected medical devices to list the commercial or off-the-shelf software and hardware components that could be susceptible to vulnerabilities.
The inclusion of the CBOM rule is seen as a proactive move for those in medical device security.
“Having a list of all the different components involved in making a product work is, at the very least, something that can be entered into an inventory and used to help mitigate risk across the entire organization,” Sammons says.
Though the updated premarket guidance may signal the FDA’s resolve to strengthen its cybersecurity measures, the vast majority of the guidance is made up of non-binding recommendations—meaning those FDA-recommended responsibilities are not legally enforceable. Similarly, the new guidance also describes the negotiation of contracts between medical device manufacturers and healthcare providers as a shared responsibility. Sammons explains that while the phrase “shared responsibility” could be open for debate, the FDA does clearly outline what it believes manufacturers need to consider when submitting a premarket product for review.
“Many of the product lines in the medical device space are deficient from a cybersecurity perspective, especially when you compare healthcare to the financial or banking industries,” Sammons says. “In finance, there are very specific rules and must-dos. I think this signifies the beginning of a shift where the medical device community is going to start seeing more and more must-dos, instead of should-dos, so the FDA is responding in kind.”
Though Moon believes the patient safety recommendations for manufacturers was a positive improvement on the 2014 guidelines, he was disappointed in the lack of legally binding rules. “There still needs to be some sort of penalty for not meeting these guidelines,” he adds. “Until that happens, it’s never something we can lean on 100 percent. With or without the FDA’s support, we have to evaluate all opportunities to protect patients because our job is to continue to push for stronger cybersecurity measures on behalf of all HealthTrust members.”