The FDA has released guidance for sponsors of devices with cybersecurity risks on what they should include in their premarket submissions, as well as considerations for device design and labeling.
The guidance defines two types of devices by level of cybersecurity risk — tier one and tier two. Tier one devices can connect, either wired or wirelessly, to other devices, a network or the Internet, and could result in harm to the patient(s) if compromised by a cybersecurity attack. Examples include pacemakers, dialysis devices and insulin pumps. Tier two devices are any devices that don’t meet the criteria for tier one.
“These recommendations can facilitate an efficient premarket review process and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats,” the agency said.
The device’s design documentation should center around showing that the device is “trustworthy” — the device should be reasonably secure from cybersecurity misuse and intrusion and follow generally accepted security procedures.
The guidance makes many recommendations for device trustworthiness in Section V related to limiting access to trusted users, authenticating and checking authorization of safety-critical commands, ensuring content is trusted through code/data integrity and maintaining data confidentiality. For tier one devices, design documentation should address all of these recommendations; tier two devices should either do the same or include a risk-based rationale explaining why cybersecurity design controls aren’t needed.
The agency includes specific recommendations for labeling. For example, it suggests that the labeling should include proper cybersecurity controls for the device — such as the use of an antivirus or firewall. Additionally, labeling should describe features that protect the device’s critical functions, and should describe procedures for backup and restoration of backups.
The guidance also suggests specific design features and cybersecurity controls the agency believes should be incorporated. It recommends that the device should only allow cryptographically verified updates or firmware to be installed, and suggests that the integrity of all incoming data be verified. Design features should also detect and track any security compromises and permit routine security and antivirus scanning.
Read the full guidance here: www.fdanews.com/10-18-18-Cybersecurity.pdf. — James Miessler