Home » The FDA’s New Cybersecurity Guidance for Medical Devices Reminds Us That Safety & Security Go Hand in Hand

The FDA’s New Cybersecurity Guidance for Medical Devices Reminds Us That Safety & Security Go Hand in Hand

by admin

Believe it or not, since 2014, FDA’s own medical device manufacturers have been subject to the Food and Drug Administration’s premarket approval (FDA review process for assessing the safety and efficacy of Class III medical devices). It is operated under the medical device cyber security guidance. And subsequent updates in 2018. But it’s about to make a big difference.

Instead of completing the 2018 pre-market cybersecurity draft guidance, the FDA has decided to publish a new 2022 version that reflects the rapid evolution of cybersecurity. It incorporates a new set of quality system regulations (QSRs) that have undergone significant changes to their predecessor in 2018.

New FDA draft guidance
New draft guidance titled “”Medical device cyber security: Quality System Considerations and Premarket Submission Content states the myriad of designs, labeling, and documentation that medical device manufacturers need to address before a new device obtains FDA premarket approval. Deal with the problem.

The FDA’s initial guidance on cybersecurity was only nine pages, but the 2022 version has grown to 50 pages, reflecting advances in the cybersecurity ecosystem and best practices. When approving connected medical devices to the market, the FDA seems to have long considered how cybersecurity is implemented, especially with respect to the level of risk to patient safety.

Updated regulations: why now?
As the healthcare industry is a major target for cyberattacks, it is imperative to demand stronger cybersecurity measures to protect medical devices and their operational and patient data. Data breach hit a record high in 2021Publish a record amount of protected health information. In addition to data theft Increased number of violations Attempting to interfere with the smooth operation of medical devices such as CT scans and magnetic resonance imaging can lead to misdiagnosis, unnecessary medical procedures, or direct harm to the patient.

The Senior Advisor to the American Hospital Association on Cybersecurity and Risk On average, medical devices used in hospital rooms 6.2 Vulnerabilities.. As devices become more complex and interconnected, cyber attackers have more opportunities to exploit vulnerabilities and need to update their regulations.

Incorporating cybersecurity into quality system regulations to increase safety
With new guidance, the FDA will ensure that next-generation medical devices will be much safer and safer throughout the device life cycle, starting from the early stages of design (left shift), pre-marketing and throughout their useful life. It is said that. ) Post production (shift to the right).

With the proposed guidance, the FDA is incorporating cybersecurity into its quality regulations, doubling its efforts to address the complexity of modern devices and today’s evolving threat landscape.

From CBOM to SBOM: What’s the difference?
Surprisingly, one of the major changes brought about by the new guidance is that manufacturers will offer a complete software bill of materials (SBOM) instead of the more cumbersome cyber security bill of materials (CBOM) required in 2018. The generosity of the requirements. draft. Due to this rigor, medical device manufacturers opposed the 2018 guidelines.

SBOM complies with cybersecurity standards in most industries and is consistent with the recently issued Biden administration. Presidential directive 14028, “Improvement of national cybersecurity”. Includes all required software packages (commercial and open source) and their versions.

According to 2018 guidance, the much more complex CBOM is “commercial, open source, and off-the-shelf software for effective use by device users (including patients, care providers, and healthcare providers). And requests a list of hardware components. Manage assets, understand the potential impact of identified vulnerabilities on the device (and connected systems), and maintain the essential performance of the device. We will develop measures for this. ”

A secure product development framework for all devices
The latest guidance requires medical device manufacturers to consider using a secure product development framework (SPDF) to meet their QSR goals. “SPDF includes all aspects of the product lifecycle, including development, release, support, and decommissioning.”

In addition to complying with the draft guidance, calls for the use of SPDF can bring significant value to medical devices. The draft guideline states: “Using the SPDF process during device design requires redesigning the device if connectivity-based functionality is added after marketing and distribution, or if vulnerabilities are discovered that pose an uncontrollable risk. It may disappear. “

Is the new FDA draft guidance binding?
Until July 7, the FDA will hold medical device manufacturers and the general public Comment on the new draft, This will be completed later this year, the new FDA cybersecurity guidance for medical devices. While the FDA’s guidance is not binding, the approved version provides a roadmap for how medical device manufacturers address product cybersecurity to ensure compliance and patient safety.

The FDA is not the only federal agency looking to tighten cybersecurity regulations.Law called Protecting and transforming cyber healthcare (PATCH) law Recently introduced in the US Congress.Act, EO, and Other proposed bills It contains provisions that strengthen the FDA’s ability to require medical device manufacturers to achieve specific cybersecurity goals.

To ensure the future of imminent legislation, medical device manufacturers can generate detailed SBOMs to continuously detect vulnerabilities and mitigate risk in order to remain compliant with the FDA’s 2022 guidance and beyond. You need to start the investigation.

You may also like

Leave a Comment