On September 27, 2023, FDA issued a final guidance titled Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. This final guidance updates a draft guidance of the same title issued on April 8, 2022, discussed in a previous Ropes & Gray alert, and replaces the agency’s 2014 final guidance titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” analyzed by Ropes & Gray here. While the new final guidance is largely similar to the April 2022 draft, it provides more detailed recommendations on conducting cybersecurity risk assessments, interoperability considerations, and documents to be included in premarket submissions to FDA.
The final guidance also rests on new statutory authority explicitly authorizing FDA to (1) require cybersecurity information in medical device submissions for “cyber devices” and (2) require that manufacturers take certain actions to demonstrate reasonable assurance that such devices and related systems are “cybersecure.” The new statutory provision also makes it a prohibited act to fail to comply with FDA cybersecurity requirements. With this new legal authority, the government will be able to prosecute violations of FDA cybersecurity requirements criminally or to pursue injunctive relief against a company that is out of compliance, including for failure to maintain processes that reasonably protect against cybersecurity threats once a device is on the market.
FDA’s Cybersecurity Concerns
As medical devices have grown more integrated with wireless, internet- and network-connected systems and portable media, FDA has grown increasingly concerned about risks to medical device safety and effectiveness arising from insufficiently robust cybersecurity controls. In its newly finalized guidance, FDA notes that “[c]yberincidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care.” This newly finalized guidance contains recommendations intended to supplement two prior guidances titled: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software and Content of Premarket Submissions for Device Software Functions.
New Statutory Authority
The final guidance also describes FDA’s new statutory authority. Food and Drug Omnibus Reform Act, or FDORA, was signed into law on December 29, 2022 as part of the Consolidated Appropriations Act for 2023. Section 3305 of the Act incorporated the text of the previously proposed PATCH Act, requiring persons who submit premarket applications for medical devices (i.e., PMA, 510(k), or de novo submissions) to include such information as FDA may require to ensure the device meets cybersecurity requirements outlined in the statute. The sponsor of an application covered by this provision must:
- submit a plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits;
- design, develop and maintain processes and procedures to provide a reasonable assurance that the device and related systems are “cybersecure,” and make available postmarket updates and patches to the device and related systems to address certain cybersecurity vulnerabilities;
- provide a software bill of materials, including commercial, open-source, and off-the-shelf software components; and
- comply with such other requirements FDA may require through regulations to demonstrate a reasonable assurance that the device and related systems are cybersecure.
FDORA limits this new legal authority to a newly defined category of “cyber device,” defined as a device that:
- includes software validated, installed or authorized by the sponsor of the premarket application as a device or in a device;
- has the ability to connect to the internet; and
- contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.
Further, the statutory amendment creates a new prohibited act prohibiting “the failure to comply with any requirement under section 524B(b)(2) (relating to ensuring device cybersecurity.)” This new section enables the government to prosecute violations of the cybersecurity requirements criminally or to pursue injunctive relief against a company that is out of compliance.
While these new requirements were supposed to become effective 90 days after passage of the law, which would have been March 29, 2023, FDA issued a guidance on the day the statutory provisions were intended to become effective clarifying that it would not begin issuing “refuse to accept” notices for premarket submissions that lack required cybersecurity information until October 1, 2023.
Final Guidance: Updates
While the new guidance is similar in structure and content to the prior version, it adds two new substantive sub-sections to the original security risk management section, a new appendix that identifies what specific documentation elements recommended for inclusion in premarket submissions will also apply to IDE submissions, and a number of definitions of cybersecurity terms that did not appear in the prior version.
- As described in the 2022 draft guidance, FDA recommends implementation and adoption of a “Secure Product Development Framework” or “SPDF,” defined as a set of processes that reduce the number and severity of vulnerabilities in products throughout the device lifecycle. As in the draft guidance, the SPDF is expected to be the key structure within which cybersecurity risk is addressed and should focus on three main elements: security risk management, security architecture, and cybersecurity testing. The guidance also makes reference to IEC 81001-5-1, a reference standard for health software, as a possible framework to consider for the SPDF. FDA continues to recommend including a security risk management report in a premarket submission to help demonstrate device safety and efficacy.
- The updated security risk management section of the new guidance contains two new sub-sections, the first regarding “Cybersecurity Risk Assessments.” The guidance notes that cybersecurity risks are difficult to predict and recognizes that it is not possible to assess and quantify the likelihood of an incident occurring based on historical data or modeling. Thus, a cybersecurity risk assessment should focus on the exploitability of vulnerabilities present within a device or system, and those likely to be present in the environment of use. FDA recommends that the cybersecurity risk assessment capture the risks and controls identified from the threat model, and also include the methods used for scoring such risks pre- and post-mitigation and the associated acceptance criteria as well as the method for transferring security risks into the safety risk assessment. The assessment should be included in a premarket submission.
- The risk management section also contains a new section on “Interoperability Considerations” addressing cybersecurity considerations that may arise from interoperable functionality including, but not limited to, interfaces with:
- Other medical devices and accessories
- “other functions” as identified in FDA’s guidance titled: Multiple Function Device Products: Policies and Considerations
- Interoperability with health care infrastructure; and
- General Purpose computing platforms.
The guidance notes that properly implemented cybersecurity controls will help ensure the safe and effective exchange and use of information and advises that device manufacturers assess whether added security controls beneath common technology and communication protocols like Bluetooth and network protocols are needed to ensure safety and effectiveness. In addition to advising that manufacturers reference its guidance titled Design Considerations and Pre-market Submissions Recommendations for Interoperable Medical Devices the guidance also suggests that device manufacturers consider the appropriate cybersecurity risks and controls associated with interoperability capabilities and ensure they are documented.
- Another key addition in the final guidance is a new Appendix 4, which provides a checklist of documents that FDA recommends be submitted in premarket submissions. The checklist also identifies which documents may be helpful to submit but are not specifically recommended for submission in IDE submissions. As an example, the Appendix notes that the Cybersecurity Risk Management Report and Threat Model discussed in the guidance might be helpful to submit in an IDE but are not specifically recommended. In contrast, Architecture Views and Labeling are specifically recommended for submission in a device IDE.
- The final guidance also adds and defines a number of new key cybersecurity terms in a new Appendix 5. While many of the added terms are new to the guidance, they are adapted from existing definitions from recognized sources, including NIST, the Joint Security Plan, ISO/IEC and CNSSI 4009-2015.
Liability Landscape for Device Manufacturers
The finalized guidance reflects continued FDA expectations that device manufacturers protect against cybersecurity risks throughout the device life cycle, including addressing risks that arise as devices age and novel, unanticipated threats emerge. These expectations require considerable resources in monitoring for new risks and in development of new mitigations for vulnerabilities identified. Reengineering old devices to address new vulnerabilities may be both risky and costly. But leaving such devices defenseless against new methods of hacking is an even riskier proposition.
As the drum beat of major data breaches and resulting congressional investigations and class action lawsuits continues, accentuated by DOJ False Claims Act investigations and settlements alleging failures to comply with contracted-for cybersecurity standards prioritized by DOJ’s Civil Cyber-Fraud Initiative, failing to take cybersecurity threats seriously is not an option. The addition of a new statutory prohibited act associated with failing to comply with FDA’s cybersecurity requirements adds criminal risk on top of already existing and significant civil liability risks. Perhaps FDA’s new authorities and final guidance will provide manufacturers with some protection, however, in the form of clearer expectations about the degree of risk that is acceptable as well as the imprimatur of agency satisfaction with a manufacturer’s cybersecurity controls, mitigations, and monitoring plans that will come with device clearance or approval. Even with such a stamp of agency satisfaction at the time of clearance and approval, device manufacturers will still have the burden of demonstrating that they took appropriate steps to monitor for and mitigate emerging risks once a device is on the market. Documentation of such efforts will be a company’s best defense as it navigates the growing minefield of cybersecurity litigation and enforcement.