Medtech cybersecurity compliance

A countdown started late last year for the U.S. Food and Drug Administration (FDA) to strengthen medical-device security per the $1.7 trillion Omnibus Appropriations Act that became law in December. For the first time, the FDA has statutory authority to require satisfactory cybersecurity measures be incorporated into these devices. As of March 2023, pre-market submissions must now include information explicitly required by the agency. As of October 1, 2023, the FDA issues refuse to accept (RTA) decisions for submissions not meeting these requirements.

This has put a laser focus on cybersecurity compliance and best practices for defending against evolving threats, ranging from hijacking and re-programming heart defibrillators to attacking a hospital’s network through decades-old, unprotected legacy hospital equipment. Several practices for multi-layered cybersecurity have already proven effective in products such as automated insulin delivery (AID) systems requiring insulin pumps to be connected to a continuous glucose monitor (CGM).

New requirements

The new FDA requirements laid out on page 1,375 of the H.R. 2617-1375 bill include:

1. Submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.

2. Design, develop, and maintain processes and procedures to provide a reasonable assurance the device and related systems are cybersecure, and make available post-market updates and patches to the device and related systems to address – a) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and b) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks.

3. Provide the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components.

4. Comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.

On March 30, the FDA articulated its RTA policy saying between then and Oct. 1, 2023, it “..intends to work collaboratively with sponsors of such premarket submissions as part of the interactive and/or deficiency review process.” The FDA expects sponsors of cyber devices to have sufficient time to prepare premarket submissions containing information required by section 524B of the FD&C Act and may RTA premarket submissions that don’t.

The new bill also requires the FDA to draft new cybersecurity regulations and update its guidance every two years. On April 8, the agency issued a draft update to its 2014 document. This draft Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff must, per section 3305(e) of the Omnibus, be finalized by Dec. 2024. General principles include:

1. Cybersecurity is part of device safety and the quality system regulations (QSR). This is found in QSR in 21 CFR Part 820 and may be satisfied through a Secure Product Development Framework (SPDF) encompassing all aspects of a product’s life cycle, including development, release, 156 support, and decommission.

2. Designing for security. FDA will assess the adequacy of the device’s security based on the device’s ability to provide and implement security objectives throughout the system architecture: 1) authenticity, which includes integrity; 2) authorization; 3) availability; 4) confidentiality; and 5) secure and timely updatability and patchability.

3. Transparency. Device users must have access to information pertaining to the device’s cybersecurity controls, potential risks, and other relevant information.

4. Submission documentation. Device cybersecurity design and documentation is expected to scale with risk. For example, if a thermometer is used in a safety-critical control loop, or is connected to networks or other devices, the cybersecurity risks for the device are considered greater and submissions should include more substantial design controls and documentation.

Aligning with IoT best practices

The FDA’s draft guidance shows how far the industry has come toward mandating successful multi-layered cybersecurity best practices. These practices are particularly important for systems controlled using today’s commercial smartphones at risk of being taken over by cybercriminals who exploit their vulnerable Bluetooth, near-field communication (NFC), and long-term evolution (LTE) wireless connections.

There are three critically important security layers:

1. Protecting all system communications at the application layer. This protects the entire communication channel between the smartphone app, medical device, and cloud, defending against many types of malware and wireless channel cybersecurity attacks (see Figure 1).

2. Ensuring each system element can be trusted through authentication. This validates integrity of the user, smartphone app, cloud, consumable, and any associated devices connected to the solution’s communication system (see Figure 2). It prevents hackers from gaining ‘root access’ to privileges enabling them to inflict harm.

3. Securing always-on connectivity channels between smartphone apps, IoT devices, and the cloud. This enables systems to receive the most recent data and immediately change device operation to meet patients’ care requirements. It’s critical for protecting against communications lapses when connected medical devices are controlled by a handheld device or smartphone.

Issue of legacy equipment

Cybersecurity best practices are also important for legacy equipment including magnetic resonance imaging machines (MRIs), ventilators, and infusion pumps. In its draft guidance, the FDA only recognizes the need for devices to be updated in a secure and timely manner to maintain safety and effectiveness throughout the product’s life cycle. Regarding legacy equipment, the concern is primarily about mitigating risks a medical device is exposed to when connected to unprotected legacy equipment. For now it appears legacy device cybersecurity isn’t handled differently than in 2021, when the FDA referred to a March 2020 International Medical Device Regulators Forum (IMDRF) document (ultimately finalized in 2023) suggesting these devices “should be decommissioned.”

But the subject did come up during the FDA’s June 2023 FDA webinar on its draft 2023 guidance. Among the panelists was Linda Ricci, division director of the Division of All Hazards Response, Science and Strategic Partnerships (DARSS) and the Center for Devices and Radiological Health (CDRH) Office of Strategic Partnerships and Technology Innovation (OST). When asked about legacy equipment, she said the zero-trust architecture recommended in draft FDA guidance must extend across the life cycle of the device, including when it’s connected with these legacy devices. “It’s really about protecting your current device,” Ricci says. “You think about what you need to put in place to protect your device…. Knowing you have that type of [legacy] system on the other side, what can you do to protect your device? …those would be the type of mitigations necessary in those types of situations.”

It should be noted, however, it’s possible to protect legacy equipment while also ensuring continuous connectivity. It’s also extremely important because this type of equipment has been responsible for most hospital cybersecurity attacks and represents a very large threat surface for hackers to exploit. Legacy equipment has typically been connected to networks with minimal protection. Hackers can exploit this to threaten patient safety or launch zero-day attacks against hospital operations. This can be remedied, however, in several ways. As an example, legacy wired Ethernet medical systems can be protected by installing intermediate Ethernet gateways acting as a shield, maximizing the usable life of these devices while defending against network-injected malware.

Building on earlier successes

Many successes led to this point in the history of medical device cybersecurity including AID systems with cybersecurity solutions enabling them to always be securely connected to a CGM per IEEE 2621 certification requirements. These types of cybersecurity capabilities don’t need to be built from scratch but can be added by using a software development kit (SDK) focusing on cyber threats. Today’s SDKs shorten the time required to bring an application to market by providing the necessary hardware roots of trust of connected devices. SDKs are available across all three key layers of connected-device security.

Passage of the Omnibus bill has given the FDA statutory authority to create a world where no one who benefits from connected medical technologies must worry about hackers trying to exploit these technologies. The latest draft FDA guidance takes another big step toward aligning medical device requirements with the industry’s proven cybersecurity best practices. Equally important, SDKs for implementing these multi-layered best practices help get these products to market faster. With these and other advances, patients and their families have even greater confidence they can live better lives without compromising their cyber safety.

Thirdwayv
http://www.thirdwayv.com

About the author: Vinay Gokhale is vice president of business development with Thirdwayv