The FDA has released a draft guidance for cybersecurity in medical devices, which is a revised version of a similar document published in October 2018. If enacted as a final guidance as written, investigational device exemptions would be within the scope of the FDA’s cybersecurity policies, one of the more significant changes found in the document.
The FDA’s Center for Devices and Radiological Health released the draft April 7, stating that cybersecurity threats are both more numerous and potentially more clinically impactful. The draft places more emphasis on total product life cycle considerations, and the final version of this guidance will replace the previous final guidance of 2014. The fact that the FDA will take comment for 90 days, through July 7, 2022, is an indicator of the significance of the draft, given that many draft guidances are posted with only a 60-day comment period.
The FDA conducted a workshop in January 2019 to review the 2018 cybersecurity draft, an event the agency said had combined with comments regarding the 2018 draft to prompt several changes. The 2018 draft guidance included provisions such as requirements for a cybersecurity bill of materials, which has been eliminated and replaced by requirements for a software bill of materials.
Another significant change from the 2018 draft guidance is the elimination of the two tiers of cybersecurity risk. In the 2018 draft guidance, a medical device or device software would be seen as a tier 1 risk if it could be connected to another device, including wirelessly, and if a cybersecurity incident could directly result in in harm to multiple patients. Otherwise, a device was deemed to be a tier 2 risk. Some in industry saw this approach to potentially confusing, given that medical devices are already subject to a three-class general risk classification scheme.
The 2018 draft guidance was applicable to 510(k) applications, de novo requests, PMA filings, product development protocols and humanitarian device exemptions. The draft’s inclusion of IDE applications does not subject these investigational devices to the full set of requirements that would otherwise apply. The draft states that a subset of the general requirements would apply to IDE devices, although the cybersecurity provisions for an IDE device may have to be updated upon a grant of market access.
There is pending cybersecurity legislation in Congress, which would have an effect on cybersecurity requirements for medical devices. One of these is the Protecting and Transforming Cyber Health Care (PATCH) Act, sponsored by two members of the U.S. Senate, Bill Cassidy (R-La.) and Tammy Baldwin (D-Wisc.). Sen. Cassidy announced the bill in a March 31 statement describing the PATCH Act (S. 3983) as improving cybersecurity for devices by requiring that manufacturers design, develop and sustain procedures to maintain and patch the device and any related systems.
The legislation also requires the use of a software bill of materials and development of a plan to monitor postmarket cybersecurity performance. There is a companion bill in the House of Representatives sponsored by Rep. Angie Craig (D-Minn.) and Michael Burgess (R-Texas).
Another bill affecting cybersecurity was recently passed by the U.S. Senate, the Strengthening American Cybersecurity Act (SACA) of 2022, which includes a range of reporting requirements for establishments that experience a cyber incident. Among the types of entities that would be covered by S. 3600 are health care facilities, which may include hospital imaging departments and free-standing imaging clinics.
Under SACA, cyber incidents would be reportable within 72 hours, while ransomware attacks would have to be reported within 24 hours. The bill was passed in the Senate March 1, and was forwarded to the House of Representatives.