Concerns Raised with FDA over Medical Device Security Guidance
The U.S. Food and Drug Administration (FDA) is reviewing feedback on the guidance for medical device manufacturers issued in October 2018.
Comments have been submitted on the guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, by more than 40 groups and healthcare companies before the commenting period closed on March 18. Feedback will be taken on board and the guidance will be updated accordingly. The final version of the guidance is expected to be released later this year.
The requirement for medical device manufacturers to submit a ‘Cybersecurity Bill of Materials’ to the FDA as part of the premarket review has been broadly praised. The CBOM needs to include a list of software and hardware components which have vulnerabilities or are susceptible to vulnerabilities. The CBOM will help healthcare organizations assess and manage risk.
However, concerns have been raised by several groups about having to include all hardware components, as it may not even be possible for device manufacturers to provide that information. If hardware components and subcomponents are included, the list could be extensive and contain hundreds of different components. Requests have been made to limit the CBOM to software, and to change the language to Software Bill of Materials as hardware maybe outside the control of the device manufacturer.
The FDA has proposed a two-tier classification of medical devices based on cybersecurity risk. The first tier includes devices that have a high cybersecurity risk, which includes devices that connect to healthcare networks and devices that could potentially result in multiple patients coming to harm if a cybersecurity incident occurs. The second tier includes devices with a standard level of risk.
Several groups have submitted comments requesting changes to this tiered system, including dropping both tiers and adopting a single risk-based approach or the addition of a third tier for devices with low cybersecurity risk. It has also been suggested that the definition of the tiers be changed to include indirect harm to patients or an organization so as to include privacy risks from the exposure of sensitive data.
CHIME suggests the FDA should change its definition of medical device risk to include all risks associated with medical devices. Medical devices could be used as a platform to conduct further attacks on an organization and risks extend far beyond medical devices. CHIME suggested the FDA should expand the definition of risk to include risks to the entire health IT ecosystem.
CHIME also explained that some device manufacturers are not doing enough to address known risks. For example, the patch released to address the vulnerability that was exploited in the WannaCry ransomware attacks in 2017 still hasn’t been applied to many medical devices as manufacturers class the vulnerability as a controlled risk. In other cases, no action is being taken to address known vulnerabilities until the FDA decides a device recall is required. CHIME suggests it should not be up to the device manufacturer to decide whether a risk is controlled or uncontrolled.
CHIME also suggests that the FDA needs to be much clearer about the steps that medical device manufacturers are expected to take to address known vulnerabilities to ensure patient safety is not put at risk, and that there should be a requirement to meet a certification standard as there is for electronic medical records.