FDA Lays Out New Guidelines for Medical Device Cybersecurity

Cybersecurity is an area of growing concern for the health care industry, particularly for makers of medical devices based on software applications vulnerable to cyberattack. The issue has taken on even greater urgency as more patients come to rely on connected care. With that in mind, the U.S. Food and Drug Administration (FDA) issued long-awaited draft guidance to help device makers deal with the threat.

The New FDA Cybersecurity Guidance

Published on April 8, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” is an updated, more comprehensive version of guidance that FDA published in 2018. Things have gotten much worse since then, the agency acknowledges. “Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the U.S. and globally,” according to the guidance. As increased connectivity results in individual devices operating as single elements of larger medical device systems, “a cybersecurity threat can compromise the safety and/or effectiveness of a device by compromising the functionality of any asset in the system.” The guidance lays out an end-to-end strategy for makers of software-based medical devices to tackle the cybersecurity issue across a product’s total life cycle, including in both premarket submissions and postmarket once the device is approved. The recommendations include:

• Incorporating threat modeling into the product design process to anticipate possible types of attacks and mitigation strategies;
• Using a security architecture that maps out all end-to-end connections into and/or out of the system, and including it in premarket submission;
• Performing cybersecurity testing not simply to verify but demonstrate the effectiveness of design controls in responding to cyberthreats under actual conditions; and
• Using product labels to warn device users of product-specific cybersecurity threats, determine whether the device has been compromised, and take appropriate response action.

The draft guidance also calls on device makers to incorporate into their premarket submissions a vulnerability communication plan that lists:

• Personnel responsible;
• Sources, methods, and frequency for monitoring for and identifying vulnerabilities;
• Periodic security testing to test the impact of any vulnerabilities identified;
• A timeline to develop and release patches;
• Update processes;
• Patching capabilities, i.e., the rate at which updates can be delivered to devices;
• A description of their coordinated vulnerability disclosure process; and
• A description of how the manufacturer intends to communicate forthcoming remediations, patches, and updates to customers.

Practical Impact of the New Guidance

The fact that the FDA guidance will not be legally binding if and when it becomes final belies its true practical significance. In addition to representing something of a best practice benchmark for medical device cybersecurity, the guidance may end up acquiring binding force via incorporation into subsequent regulation and/or into device maker contracts by reference. Equally important, the guidance will establish clear FDA expectations for premarket submissions and ongoing postmarket programs covering monitoring, servicing, and other actions relating to a connected device. Accordingly, device makers that fail to follow them may have a hard time obtaining and maintaining approval for their products. The FDA will be taking public comments on the proposed guidance until July 7, 2022. Here are some of the key new FDA EUAs and clearances that were announced in April, 2022: 

New FDA Emergency Use Authorizations (EUAs) & Approvals

Manufacturer(s)	Product
Q-linea	Breakthrough Device designation for ASTar antimicrobial susceptibility test
University of California, San Diego	EUA for UCSD EXCITE COVID-19 EL Test, PCR assay
D.C. Health	EUA for direct-to-consumer Test Yourself DC At-Home COVID-19 Collection Kit
Osang Healthcare	EUA for OHC COVID-19 Antigen Self Test lateral flow immunoassay
Xiamen Boson Biotech	EUA for Rapid SARS-CoV-2 Antigen Test Card lateral flow immunoassay
DNA Genotek (subsidiary of OraSure Technologies)	De novo authorization for Omnigene-Gut Dx device for self-collection and stabilization of microbial DNA from human feces for gut microbiome profiling
Quest Diagnostics	EUA for Quest RC COVID-19 PCR DTC test
Quest Diagnostics	EUA for Quest PF COVID-19 PCR DTC test
Quest Diagnostics	EUA for Quest COVID-19 PCR DTC test
Helix	EUA for molecular test detecting SARS-CoV-2 from anterior nasal swab specimens self-collected without supervision using Helix COVID-19 Self-Collection Kit
Siemens Healthineers	Breakthrough device designation for Advia Centaur serum Neurofilament Light Chain test
Siemens Healthineers	EUA for Atellica IM SARS-CoV-2 Antigen test
Siemens Healthineers	EUA for and Advia Centaur SARS-CoV-2 Antigen test
BioMérieux	510(k) clearance for Vitek MS Prime MALDI-TOF mass spectrometry identification system
Foundation Medicine	Approval of FoundationOne CDx test as companion diagnostic to identify NSCLC patients with EGFR exon 19 deletions or exon 21 alterations for treatment with EGFR inhibitors
Phase Scientific International	EUA for over-the-counter, at-home version of SARS-CoV-2 rapid test, called the Indicaid COVID-19 Rapid Antigen At-Home Test
Minute Molecular Diagnostics	EUA for DASH SARS-CoV-2/S molecular test
AstraZeneca + Merck	Approval for Lynparza (olaparib) as adjuvant treatment for early-stage breast cancer patients harboring germline BRCA1/2 mutations