This article was first published in Law360

In recent years, the threat of cybersecurity attacks has evolved in the minds of the public and regulators from a theoretical novelty to a tangible reality. There have been numerous institutions in various industries coming under attacks by malicious actors, sometimes resulting in data breaches and significant monetary penalties.

In the health care sector, cybersecurity incidents can have an adverse clinical impact on patients, particularly if personal medical devices or interconnected medical devices are rendered inoperable or become compromised.

On April 8, the U.S. Food and Drug Administration issued a new draft guidance on cybersecurity, "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions."[1] This draft guidance replaces the agency's prior 2018 draft guidance, "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices," and when finalized, will supersede the agency's final guidance from 2014.

The FDA cybersecurity guidance is nearly 50 pages long and contains detailed recommendations for device makers in terms of the types of content that should be included in premarket submissions, how cybersecurity considerations should be incorporated into companies' quality management systems, and even how device labeling should address cybersecurity considerations.

In this guidance, the FDA specifically reminds companies that inadequate cybersecurity controls can render a device misbranded. At the core of the FDA's newest cybersecurity draft guidance is that cybersecurity controls should be built in rather than bolted on.

The FDA emphasizes the importance of having robust design controls to address potential vulnerabilities in the design of medical devices.[2] The FDA also recommends that companies implement appropriate systems, procedures and controls to continually monitor potential cybersecurity issues throughout the product life cycle, and noted that the following specific quality system regulations may be relevant in this regard:

• Complaint handling;[3]
• Quality audit;[4]
• Corrective and preventive action;[5]
• Software validation and risk analysis;[6]
• Servicing[7]

This discussion of how cybersecurity considerations should be incorporated into companies' quality management systems is not new, as many of the same principles in the 2022 cybersecurity draft guidance are reflected in the 2016 FDA guidance, "Postmarket Management of Cybersecurity in Medical Devices," which outlined the elements of an effective post-market cybersecurity program in accordance with quality system regulations.

In comparing the 2022 cybersecurity draft guidance with the prior version from 2018, there are several noteworthy changes. One significant change was the removal of the two-tier risk framework in the 2018 draft guidance.

Previously, medical devices — regardless of their risk class — were separated into two tiers. Tier 1 was reserved for medical devices that posed a higher cybersecurity risk because they met two criteria: (1) were capable of connecting to another medical or nonmedical product, or to a network, or to the internet; and (2) a cybersecurity incident affecting the device could directly result in patient harm to multiple patients.

Examples of Tier 1 devices, under the 2018 draft guidance, included pacemakers, dialysis devices, infusion and insulin pumps, implantable cardioverter defibrillators, left ventricular assist devices, brain stimulators and neurostimulators.

Tier 2 accounted for all other medical devices and characterized as having a standard cybersecurity risk. In the current draft guidance, the FDA states that the applicable scope are all devices that contain software, including firmware, or programmable logic, as well as software as a medical device, regardless of whether they are network-enabled or contain other connected capabilities.

Another change that is significant is the concept of a software bill of materials, which is a list of software components, including but not limited to commercial, open source, off-the-shelf, and custom software components. The software bill of materials is essentially a tool to help companies assess potential cybersecurity risks throughout the supply chain.

The FDA recommends companies include software bill of materials documentation in their premarket submissions and in the labeling. In the 2018 draft guidance, the FDA had introduced a similar concept of a cybersecurity bill of materials that was intended to be a comprehensive list of all commercial, open source, and off-the-shelf software as well as hardware components that are or could become susceptible to vulnerabilities.

Similarly, the cybersecurity bill of materials was meant to help companies develop and implement appropriate controls. Given the media attention and the volume of ink that has been spilled on the topic of cybersecurity over the years, it may come as a surprise that the FDA's public enforcement record on cybersecurity issues has been historically sparse. As of the date of this publication, there have only been a handful of FDA warning letters that expressly discuss cybersecurity issues.

But the relatively low numbers may be explained in part by the fact that there is no express federal statutory requirement in the Federal Food, Drug, and Cosmetic Act that requires medical device makers to adopt cybersecurity requirements. Accordingly, the FDA has been using guidance to signal to the industry that cybersecurity issues will be considered during the premarket submission process and the industry may start to see more inspectional observations relating to cybersecurity-related procedures and controls.

In contrast, the Health Insurance Portability and Accountability Act requires covered entities and business associates to implement administrative, physical and technical safeguards to protect the confidentiality, integrity and security of personal health information. In many cases, however, device manufacturers are not directly subject to HIPAA.

Recently, both the U.S. Senate and the House of Representatives introduced bills — Protecting and Transforming Cyber Health Care Act[8] — that will amend the Food, Drug, and Cosmetic Act to require manufacturers of cyber devices, defined as devices that include software or is intended to connect to the internet, to implement certain cybersecurity requirements, such as having to:

• Monitor, identify and address post-market cybersecurity vulnerabilities;
• Provide a coordinated vulnerability disclosure as part of submissions to the FDA;
• Collect and maintain information as required by the FDA;
• Design, develop and maintain processes and procedures to make updates and patches available throughout the lifecycle of the cyber device; and
• Maintain a software bill of materials for the device, including commercial, open-sourced and off-the-shelf software, that will be submitted to the FDA and provided to users.

This proposed legislation would provide some serious teeth behind the above-mentioned cybersecurity requirements by making noncompliance with certain requirements as grounds for a misbranding or adulteration violation.

The increased scrutiny on cybersecurity and the corresponding costs of implementation may curtail or delay innovations in this space. But it's too early to tell, and by all accounts, the digital health industry is thriving and expected to grow exponentially.

The recent introduction of the PATCH Act in both the Senate and House, and this newest installment of cybersecurity guidance from the FDA, signal that mandatory cybersecurity requirements for certain medical devices may be on the horizon.

In the meantime, companies that are manufacturing, distributing and marketing devices with wireless and other connection capabilities (via the internet, network or portable media), should carefully review the recent FDA draft guidance and consider the following practical considerations:

• Consider whether cybersecurity is appropriately addressed in the company's written policies and procedures, including the quality manual;
• Consider performing periodic cybersecurity risk assessments that take into account the potential exploitability of the device and/or the system to which the device is connected;
• Consider the inclusion of cybersecurity information in labeling to help manage risks and/or ensure safe and effective use of the device;
• Consider whether there are potential gaps in current knowledge about suppliers in your supply network that are necessary to generate a software bill of materials;
• Consider whether existing agreements with suppliers contain appropriate cybersecurity obligations, including timeline and communications about forthcoming patches and updates, immediate notifications for cyber incidents, and coordination on responding to cyber incidents;
• Consider the use of master files for devices to provide the FDA the ability to review data and other proprietary information regarding a third party's product, facility or manufacturing procedures; and
• Consider forming a dedicated internal team of personnel who are trained and responsible for carrying out plans to identify and communicate post-market cybersecurity related vulnerabilities.

*** 

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] https://www.fda.gov/media/119933/download.

[2] 21 CFR 820.30.

[3] 21 CFR 820.198.

[4] 21 CFR 820.22.

[5] 21 CFR 820.100.

[6] 21 CFR 820.30(g).

[7] 21 CFR 820.200.

[8] https://www.govinfo.gov/content/pkg/BILLS-117hr7084ih/pdf/BILLS-117hr7084ih.pdf.