Technology has made the world more interconnected – from smartphones and cars to refrigerators and medical devices.
That connectivity can be a huge benefit if it means getting information to a doctor more efficiently, being able to monitor vital signs, or even having two different medical devices talk to each other to help manage care. But as with most technology applications, those benefits also make devices more vulnerable to cyber threats.
An April 2022 draft guidance from the Food and Drug Administration (FDA) on Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions raised concerns about the threat.
“With the increasing integration of wireless, Internet- and network-connected capabilities, portable media (e.g., USB or CD), and the frequent electronic exchange of medical device related health information, the need for robust cybersecurity controls to ensure medical device safety and effectiveness has become more important,” the FDA report noted. “In addition, cybersecurity threats to the healthcare sector have become more frequent and more severe, carrying increased potential for clinical impact.”
The agency has also called attention to the increasing use of software in healthcare, whether as a medical device itself (software as a medical device (SaMD)) or as a component of a device (software in a medical device (SiMD)). Both of these applications were addressed in a Guidance for the Content of Premarket Submissions for Device Software Solutions published in November 2021 to guide manufacturers during software design, development, verification, and validation. The November publication updated and expanded on documents issued in 2014 and 2016, demonstrating that the agency is trying to keep abreast of changes and new threats.
The FDA specifically stated that the guidance applied to devices that “contain software (including firmware) or programmable logic” as well as SaMD and did not just apply to devices that were “network-enabled or contain other connected capabilities.” The document describes recommendations regarding the cybersecurity information to be submitted for devices under a range of premarket submissions.
The Pandemic Effect
The COVID-19 pandemic pushed the integration of software and medical devices even further as medical professionals and device manufacturers looked for ways to remotely program and monitor a wide variety of medical devices. While the industry had been moving in this direction already, the pandemic rapidly sped up advances because there was a critical need to keep frontline healthcare workers safe while still caring for COVID-19 patients, particularly early in the health emergency when personal protective equipment was in short supply and so much was still unknown about the virus and its transmission and treatment.
In March 2020, the FDA published its Enforcement Policy for Non-Invasive Remote Monitoring Devices Used to Support Patient Monitoring During the Coronavirus Disease 2019 (COVID-19) Public Health Emergency which was intended to expand the availability and capability of non-invasive remote monitoring devices so that patients could be monitored while reducing contact between them and healthcare providers.
The policy clearly stated that this was only to be in effect during the COVID-19 public health emergency (PHE), but it is hard to imagine clawing back all the advances that have been made in the past two years whenever the PHE is declared to be over.
Software Issues Drive Device Recalls
With the widespread use of software in medical devices and patient care, it’s not surprising that software issues have been the leading case of medical device recalls for 21 of the past 26 quarters. Software problems were responsible for a total of 1,389 medical device recalls since January 2016, 21 percent of all recall events. Though not every recall is a cybersecurity risk, there have been some, including one in 2017 involving vulnerabilities in pacemakers and another in 2019 over concerns with a wireless insulin pump that had the potential of being hacked, which could have life-threatening health impact.
The FDA has tried to clarify its role is in medical device cybersecurity versus what is the manufacturer’s responsibility. The agency put quality system regulations (QSRs) in place that require medical device manufacturers to address cybersecurity risks. The FDA has also issued several premarket and postmarket guidances to help companies meet these QSRs.
The agency has clearly stated that manufacturers can always update a medical device for cybersecurity. Typically, the FDA does not need to review changes made to medical devices if the only purpose and impact of the changes are to strengthen cybersecurity.
Because the FDA does not conduct premarket testing of medical devices, manufacturers are responsible for validating all software design changes, including computer software changes to address cybersecurity vulnerabilities. Manufacturers also bear responsibility for the safety, effectiveness, and security of off-the-shelf (OTS) software they may use in their devices.
The FDA’s 2018 Medical Device Safety Action Plan offered further recommendations, focusing on five key areas: establishing a robust medical device patient safety net in the United States; exploring regulatory options to streamline and modernize timely implementation of postmarket mitigations; spurring innovation towards safer medical devices; advancing the cybersecurity of medical devices; and integrating the Center for Devices and Radiological Health’s (CDRH’s) premarket and postmarket offices and activities to advance the use of a total product life cycle approach to device safety.
The plan highlights some of the steps the FDA has taken to “promote a multistakeholder, multi-faceted approach of vigilance, responsiveness, recovery, and resilience that applies throughout the life cycle of relevant devices.” These include collaborating with the Department of Homeland Security (DHS) on potential cybersecurity vulnerabilities.
Total Product Life Cycle Responsibilities
Another factor in cybersecurity risk assessment is the increased postmarket surveillance as part of the total product life cycle (TPLC) that U.S. and European regulators are starting to consider. The FDA highlights this in its April 2022 document, stating that “the rapidly evolving landscape, an increased understanding of emerging threats, and the need for capable deployment of mitigations throughout the total product life cycle (TPLC) warrants an updated, iterative approach to device cybersecurity.”
The agency goes on to say that implementing and adopting a Secure Product Development Framework (SPDF) is one way to address TPLC considerations. It defines a SPDF as “a set of processes that reduce the number and severity of vulnerabilities in products throughout the device life cycle.”
Those processes may include updating the security risk management report as information about new threats, vulnerabilities, assets or adverse impacts is discovered during development and after the device is released. The FDA also recommends using threat-modeling to quickly identify vulnerability impacts once a device is released and to support timely Corrective and Preventive Action (CAPA) activities.
As a step toward better cybersecurity over the service life of a device, it is recommended that companies’ risk management documentation considers differences in how to manage “fielded devices,” both marketed devices and devices no longer marketed but still in use. There will likely be different risk profiles across devices if an update is not applied automatically to all devices in the field at the same time. Manufacturers need to have a process in place to account for these variations.
The FDA cybersecurity guidance also provides recommendations for security assessments, security architecture, cybersecurity testing, and transparency and vulnerability management plans.
The Federal Food, Drug & Cosmetic Act (FD&C Act) does not provide the FDA with express federal statutory requirements for medical device manufacturers regarding cybersecurity. But both the U.S. Senate and the House of Representatives have introduced bipartisan bills that would amend the law. The proposed changes would mandate certain cybersecurity requirements for any manufacturer of a “cyber device,” defined as a device that includes software or is intended to connect to the Internet.
Even without specific regulations, medical device manufactures must remain vigilant about identifying risks and hazards associated with their products. They should compare the FDA guidances to their internal plans to ensure they align.
While the guidances are not legally binding, they do show how the agency is looking at best practices. Being in compliance can build good will between the agency and the company, while also reassuring partners, suppliers, and consumers that the manufacturer is taking proactive steps to protect patient health and personal data.
Editor’s Note: Chris Harvey is senior vice president of brand protection at Sedgwick. With 15 years’ experience, he is recognized as an expert in the recall industry and routinely speaks on best practices at trade shows, conventions, and conferences. Throughout his career, Chris has managed more than 1,200 recall and in-market remediations, including hundreds for the largest U.S. and global brands. He also serves on the board of directors of the International Consumer Product Health and Safety Organization (ICPHSO).