FDA’s Newest Medical Device Security Guidance

As medical devices have grown increasingly complex, so have the regulations surrounding them. This is understandable when you consider the risks posed with software and connected devices. While the U.S. Food and Drug Administration (FDA) has released guidance in the past about security in medical devices, the pace of technology warrants more frequent guidance documents. The latest FDA cybersecurity guidance to be released is still in the draft stage, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.”¹

Software Bill of Materials (SBOM)

As I recently mentioned in another post,² the idea of a software bill of materials (SBOM) is nothing new. And, as expected, it’s becoming less of a regulatory “nice to have” and more of a requirement. This latest guidance document ties an SBOM to the requirements in 21 CFR 820. The guidance states “all software … should be assessed for cybersecurity risk and that risk should be addressed. Accordingly, device manufacturers are expected to document all software components of a device.”³

The SBOM is still not required, but it’s noted as a possible way to fulfill this requirement. The SBOM lists all software components and aids in medical device cybersecurity risk management by helping identify devices affected by software vulnerabilities. The agency is recommending an SBOM be included in a device’s premarket submission and lists in the guidance the documentation that should be included.

Secure by Design

Quality by Design is the idea of building quality into a product from the beginning. Secure by design follows the same basic concept. The FDA cybersecurity guidance is encouraging manufacturers to build cybersecurity into a device from the beginning of the product development rather than only considering it after the product is finished. This approach should make it easier to follow this and any future guidance documents if medical device manufacturers show that cybersecurity is top of mind for them.

AI/Ml-Enabled SaMD

For those who would like further clarification on the guidance, the FDA hosted a webinar with a presentation followed by a Q&A.⁴ During that Q&A one of the attendees brought up the question of software as a medical device (SaMD) that uses artificial intelligence (AI) and/or machine learning (ML). SaMD is still a medical device, so medical device cybersecurity risk management is still a concern and this guidance definitely still applies. The answer from the FDA official was to focus on the objectives of the guidance.

AI/ML-enabled SaMD will require different applications of these principles. The integrity of the algorithms should be a point of focus and where the algorithm is housed will change how companies apply this guidance. The example given by the FDA official was that applying this guidance for AI/ML in the cloud will look different from AI/ML that’s part of a medical device. It is interesting to note that, while AI/ML is becoming more common in medical devices, the FDA cybersecurity guidance itself does not mention it.

Conclusion

The more connected medical devices become, the more cybersecurity risk they present. The FDA and other regulatory bodies are trying to help medical device companies stay ahead of hackers and help keep patients safe. Having to deal with third-party providers and devices that are even more complicated due to AI/ML present their own unique challenges. By following industry best practice and this guidance, manufacturers can improve their medical device cybersecurity risk management and ensure safe devices for patients.

References:

1. "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions," U.S. Food and Drug Administration, April 8, 2022.
2. "4 Medical Device Trends Quality Professionals Need to Know," Matt Lowe, MPO Magazine, Aug. 1, 2022.
3. Supra note 1
4. "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions," U.S. Food and Drug Administration, June 23, 2022.