“Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” is an FDA Guidance on medical device cybersecurity that provides guidance on integrating cybersecurity into the quality system management and premarket submission process for medical devices.
It covers risk management, design controls, software validation, and other elements to ensure the safety, effectiveness, and security of medical devices in the face of potential cyber threats.
The goal of the FDA Guidance on medical device cybersecurity is to impart on device manufacturers the need to consider cybersecurity in all aspects of device software including design, development, testing, monitoring and maintenance. A key concept of the document is planning for the “Total Product Life Cycle”. The FDA has pulled in many aspects of cybersecurity that would normally be left to HIPAA and device customers. It is now incumbent on the device manufacturers to integrate secure software practices from the beginning of the development phase and show through documentation how they will continue to ensure the device remains secure.
What is Cybersecurity?
NIST (National Institute of Standards and Technology) has an entire page dedicated to the various definitions of cybersecurity.
NIST identifies Cybersecurity as a synonym for computer security [1]. It is the “Measures and controls that ensure confidentiality, integrity, and availability of the information processed and stored by a computer.”[2] It is also “the prevention of damage to, unauthorized use of, exploitation of, and—if needed—the restoration of electronic information and communications systems, and the information they contain, in order to strengthen the confidentiality, integrity and availability of these systems.”[3]
When extended to medical devices, cybersecurity encompasses user and patient safety. As noted on the FDA Guidance on page 11: “The scope and objective of a security risk management process, in conjunction with other SPDF processes (e.g., security testing), is to expose how threats, through vulnerabilities, can manifest patient harm and other potential risks.” Figure 1 below shows the relationship between Cybersecurity Risk and Safety Risk.
How to manage Cybersecurity Risks
The FDA Guidance on medical device cybersecurity suggests that one way to manage cybersecurity risk is through what it calls a “Secure Product Development Framework” or SPDF. An SPDF is essentially a plan for identifying cybersecurity threats and mitigations for the entire lifetime of the device. Device manufacturers should implement an SPDF as part of the key Quality Management System (QMS) that govern how a device with software is developed and maintained.
The process can be boiled down to the following steps:
- Identify threats
- Document and evaluate risks
- Document and implement mitigations
- Test and verify mitigations
- and finally monitor the device and device space for new threats.
The outputs of these steps and the implementation of future facing procedures are the inputs the FDA requires for all new regulatory submissions. While the steps of the process are easily identified, the implementation of an SPDF is anything but easy.
More About SPDF
A Secure Product Development Framework should become a standard part of any QMS used to develop an electronic medical device or any medical device with software. It is tempting to claim that a device does not require an SPDF or cybersecurity considerations, but this would be a mistake. There is no way to prove to the FDA that your device does NOT present cybersecurity risks until after you have performed many of the initial steps of an SPDF, namely Threat Identification and Cybersecurity Risk Analysis.
We have already heard stories of other manufacturers that assumed they were secure only to have the FDA point to a USB port or a latent network port (behind a panel no less!) and reject the application due to lack of cybersecurity documentation. Just because the device does not connect to the internet, does not mean that a threat actor couldn’t exploit a part of your system. The only way to prove that your device is safe is to implement an SPDF from the start of the device lifecycle and document the lack of threats or risks.
Cybersecurity Risk Management
Our software team works with a number of Cybersecurity professionals, Penetration Testing Firms and FDA consultants to ensure the devices we develop are able to meet the FDA Cybersecurity documentation requirements for medical devices. Device developers should internalize the FDA Guidance on medical device cybersecurity and create new processes to help with compliance and new tools for generating the outputs necessary to satisfy the FDA. This is not a small undertaking. We have spent considerable time and effort bringing these systems up. The effort has paid dividends for our customers because we have automated vulnerability detection and reporting.
FDA Cybersecurity Draft Guidance
If you would like to know more about how StarFish Medical can help with your cybersecurity regulatory compliance, please contact our Business Development group. They would be happy to discuss how StarFish can help you succeed in creating robust, secure medical devices.
[1] https://csrc.nist.gov/glossary/term/cybersecurity
[2] https://www.cnss.gov/CNSS/issuances/Instructions.cfm
[3] https://doi.org/10.6028/NIST.IR.8074v2
Image: FDA
Russell Haley is a StarFish Medical Senior Software Engineer. He is a software and IT veteran with over 20 years of start-up experience designing IoT systems that collect data through Wi-Fi, Bluetooth and MICS (implantable) radios and store vital records in the cloud from oceanographic buoys, financial institutions, passenger trains and most recently, medical devices.