Global Authorities Ramp Up Medical Device Cybersecurity Expectations: What Medical Device Companies Need to Know | Orrick, Herrington & Sutcliffe LLP
- EU Regulation
- October 26, 2022
- No Comment
The last year has seen a multijurisdictional regulatory push for increased cybersecurity standards for medical devices. The new approaches, issued by regulatory authorities in the United States (U.S.), the United Kingdom (UK) and Europe (EU), promote global cybersecurity in medical devices and patient safety regardless of where the medical device company is operating.
Here are the major themes medical device developers need to know:
- Recent Global Developments
- Designing for Security
- Submission Transparency
- Security Risk Management
- Third-Party Procurement
- Security Architecture for Medical Devices
- Looking Forward
1. Recent Global Developments
United States (U.S.)
This spring, the U.S. Food and Drug Administration (FDA) issued draft guidance addressing long-standing concerns for medical device cybersecurity and further articulated its position on cybersecurity in premarket submissions of medical devices. The draft builds on guidance issued in 2014. The guidance, while still in draft and voluntary, is critical. Companies developing medical devices are largely exempt from the security rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which makes this guidance markedly important in its scope and recommendations for those medical device manufacturers preparing premarket submissions.
In September 2022, the FBI issued an industry alert regarding unpatched and outdated medical devices that can be leveraged in cyberattacks. According to the alert, a growing number of vulnerabilities are caused by unpatched medical devices that run on outdated software and lack sufficient security features.
United Kingdom (UK)
In May 2022, the UK government introduced the Product Security and Telecommunications Infrastructure Bill (PSTI Bill), designed to ensure that consumer device manufactures, importers and distributors are held accountable to stricter cybersecurity standards. While some consumer devices can be used or adapted for clinical settings, many hope that the PSTI Bill will lead the way for legislation to similarly address cybersecurity concerns in medical devices. The UK National Cyber Security Centre (NCSC) has also published its Secure design principles, which are aimed at ensuring networks and technologies are designed and built securely.
The EU has already seen a ramp up for medical device cybersecurity requirements. In September 2022, the Cyber Resilience Act was presented in Brussels with the aim to become the gold standard for mandatory cybersecurity requirements for any product within the Internet of Things. Manufacturers that do not comply with the Act may face removal of products from the Single Market (the EU trading bloc) or a potential fine at similar levels to those under the General Data Protection Regulation (GDPR). The Cyber Resilience Act builds upon the 2017 EU Regulation (EU) 2017/745 on medical devices (EU MDR). The EU MDR regulates a host of security requirements spanning several chapters, with a specific focus on premarket and post-market minimum cybersecurity obligations. In December 2019, the EU’s Medical Device Coordination Group also published its extensive Guidance on Cybersecurity for medical devices, detailing the specific requirements stipulated by the EU MDR.
The EU has also implemented the Network and Information Security directive (EU) 2016/1148 (NIS Directive), which provides legal measures to boost the overall level of cybersecurity in the EU.
2. Designing for Security
The FDA’s guidance, and the NCSC’s Secure Design Principles, focuses on the importance of integrating security objectives across a medical device’s system architecture. Software validation and risk analysis demonstrate whether a connected device has a reasonable assurance of safety and effectiveness. The FDA and the NCSC have emphasized that manufacturers should consider a device’s wider ecosystem and interconnectivity.
In addition, the FDA’s recommendations outline a Secure Product Development Framework (SPDF) encompassing the entirety of a device’s life cycle. The SPDF outlines how to reduce the severity and frequency of vulnerabilities. The SPDF can be adopted into existing processes for product and software development, risk management and quality systems to address any ongoing obligations.
Under the EU MDR and the proposed Cyber Resilience Act, there are several manufacturer-focused cybersecurity requirements during the design, development and upgrade spheres in medical device development. In particular, companies developing and manufacturing medical devices must take into account the principles of development life cycle, risk management, including information security, verification and validation (“secure by design” practices). Finally, manufacturers must set out minimum requirements concerning hardware, IT networks characteristics and IT security measures necessary to run the software as intended, including protection against unauthorized access. Other general cybersecurity obligations will arise under the NIS Directive and the GDPR in respect of the protection of personal data.
3. Submission Transparency
The FDA’s draft guidance emphasized the importance of transparency when addressing cybersecurity in premarket submissions. Information submitted to the FDA should document cybersecurity risks of a specific device and how they are addressed. Any premarket submission documentation should align with cybersecurity risks of each device.
Furthermore, the FDA advised that manufacturers should provide access and information to device users on a medical device’s cybersecurity controls, potential risks and other relevant information. The FDA recommends that manufacturers provide a Software Bill of Materials (SBOM) that lists device manufacturer-developed components, third-party components and all upstream software dependencies. Similarly in the UK, the NCSC advised organizations to outline all elements which compose a device’s system to eliminate risks of blind spots.
Lastly, the FDA’s draft guidance included recommendations for manufacturers to augment device labels to include additional information regarding cybersecurity controls including diagrams, network ports and interfaces, SBOMs and guidance regarding infrastructure requirements. The PSTI Bill proposes enhanced transparency of security flaws, although it is less clear how this will be achieved.
4. Security Risk Management
According to the FDA, manufacturers can incorporate security risk management including:
- using SBOMs to identify devices that may be affected by component software vulnerabilities throughout its life cycle
- considering the larger system in which a device may be used including attention to how devices may be connected to networks or other devices
- disclosing technical, personnel and management practices to address potential risks in their devices
Manufacturers should include this information in premarket submissions to provide reasonable assurances of a device’s safety and effectiveness. Cybersecurity considerations should accompany existing safety risk management practices with respect to physical injury or damage to property or the environment. Likewise, the PSTI Bill similarly highlighted security risk management best practices including the avoidance of default passwords and reports of any discovered vulnerabilities.
Under the EU MDR manufacturers are obligated to establish, implement and maintain a risk management system during the entire life cycle of a medical device that includes, among other things, regular systematic updating, the establishment and documentation of a risk management plan for each device, the analysis of foreseeable hazards associated with each device and reasonably foreseeable misuses. Manufacturers must adopt risk control measures that conform to safety principles, taking into account the state of the art.
Notably, the FDA’s security risk management approach may reach beyond just risks of patient harm and towards the threat to a manufacturer’s reputation.
Overall, as a good practice, manufacturers should update their security risk management reports as new information becomes available including new threats, vulnerabilities, assets, or adverse impacts during a product’s development and release.
5. Third-Party Procurement
Constant risk of data breaches or cybersecurity incidents highlight the importance of understanding and integrating privacy and cybersecurity controls throughout the product life cycle to protect products from risks in every part of the supply chain ecosystem.
While the FDA’s guidance may appear to focus on the manufacturers, the guidance also extends to ensuring processes and controls are in place to ensure that any supplies conform to the relevant cybersecurity requirements. Procurement of software from third parties brings an additional level of cybersecurity risk to third parties.
Notably, the UK has focused on the issues of procurement and connected medical devices. The UK National Health Service (NHS) released guidance stressing the importance of cybersecurity as part of:
- the procurement process
- the deployment, maintenance and disposal of connected medical devices
- the management of legacy devices
Constant risk of data breaches or cybersecurity incidents highlight the importance of understanding and integrating privacy and cybersecurity controls throughout the product life cycle to protect products from risks in every part of the supply chain ecosystem. The focus of the PSTI Bill is on the manufacturing stage. It is likely that the same focus will be drawn towards medical devices in the coming years. Procurement best practices may allow manufacturers to detect, prevent or identify potential vulnerabilities as they build their products.
6. Security Architecture for Medical Devices
The FDA recommends that manufacturers develop and maintain security architecture, view documentation as part of the process for the design, and develop and maintain a device’s systems. If corrective and preventative measures are identified, these views can be used to identify any potentially impacted functionalities and help prepare solutions to address such risks.
Any premarket submissions should include multiple views, including a global system view and a multi-patient harm view. This can help stakeholders understand how the device and its systems function holistically within associated implementation details.
A comprehensive analysis of foreseeable hazards and a documented plan are also an essential part of an effective risk management system as required by the EU MDR.
The FDA also focused on the importance of regular cybersecurity testing in order to demonstrate the effectiveness of cybersecurity-minded designs. With an emphasis on going beyond software verification and validation, these security assessments should focus on a device’s security controls throughout its life cycle. Organizations can go further in implementing Zero Trust segmentation for vulnerable legacy devices and user tracking.
7. Looking Forward
The FDA’s guidance, and the focus in the U.S., UK and EU on cybersecurity in medical devices, can significantly impact manufacturers’ product development and release. Requirements such as maintaining real-time inventories of devices are critical to manage the overall enterprise security risk. Moreover, as part of a critical infrastructure sector, entities operating in the health care or public health sectors already contend with significant security obligations—a trend that will continue to expand. In fact, earlier this year in the U.S., the Cyber Incident Reporting for Critical Infrastructure Act of 2022 was signed into law with the hope of prioritizing cybersecurity in critical infrastructure industries, including health care.
Orrick is advising global medical device companies on growing with cybersecurity in mind, day-to-day business functions, and preparing and responding to cybersecurity incidents around the globe. Contact one of the authors if you have questions about medical device cybersecurity.