Groups Ask FDA to Rethink Some Medical Device Cyber ProposalsAgency Receives Critique on Draft of Premarket Medical Device Cyber Guidance Update
The Food and Drug Administration is generally on the right track in updating guidance for the cybersecurity of premarket medical devices. But various changes are needed, according to some of the three dozen-plus healthcare sector companies and groups recently submitting feedback to the agency.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Some of the associations submitting comments on FDA's draft guidance suggested modifications to the agency's call for a "cybersecurity bill of materials," or CBOM, that medical device makers would need to submit to the FDA for premarket review. Some also critiqued FDA's proposal to define two tiers of medical devices based on their cybersecurity risk (see FDA Calls for Cybersecurity Bill of Materials).
The FDA had requested comment by March 18 on its "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices," which was issued last October. That draft premarket guidance is a significant refresh of FDA's 2014 guidance, the agency noted last fall.
Nearly 40 groups and companies submitted comments on the draft guidance by the FDA's March 18 deadline, according to the Regulations.gov website. FDA will review the comments before issuing a final version of the guidance.
Cybersecurity Bill of Materials
Under the FDA's proposals, medical device makers would submit to the agency before devices are marketed a CBOM that would include a list of commercial, open source and off-the-shelf software and hardware components that are or could become susceptible to vulnerabilities, the draft guidance says.
Many of the associations representing healthcare provider organizations were generally supportive of the CBOM proposal. "Our members have a significant need for this information, which is crucial to evaluating threats and risks, as well as undertaking mitigation," wrote the Greater New York Hospital Association in its comments.
Kaiser Permanente, the largest private integrated healthcare delivery system in the U.S., with 12.2 million members in eight states and the District of Columbia, noted that "the introduction of a Cybersecurity Bill of Materials as part of the risk management methodology will significantly improve medical device purchasing and maintenance decisions."
However, some commenters - including some associations representing medical device makers - suggested that the FDA's definition of a CBOM that includes hardware components would be too challenging to implement.
"FDA should reference a 'software bill of materials,' instead of a CBOM, and define SBOM as 'a list of commercial off-the-shelf software or open source software components that are included in the medical device software, limited to version and build," wrote the Advanced Medical Technology Association, or AdvaMed, which represents medical technology companies.
"Providing and maintaining a bill of materials that includes hardware presents unique challenges compared to software-only bill of materials, some of which are outside the immediate control of the manufacturer," AdvaMed wrote.
For example, if components are sourced from a supplier, it may not be possible to obtain a list of all hardware subcomponents, as suppliers may be unwilling or unable to provide such information, AdvaMed contends. "If the BOM were to include all software and all hardware down to the lowest component level, the sheer amount of data provided will very likely work against the shared goal to prioritize, prevent and react to cybersecurity risks to protect patient health."
Medical device maker GE Healthcare offered a similar assessment, and also suggested that FDA focus its bill of materials proposal on software, not hardware components.
"We note that vulnerabilities such as Spectre and Meltdown occurred at the level of CPU," GE Healthcare wrote.
"At this level the bill of materials would include hundreds of programmable chipsets embedded in motherboards, peripherals, and power distribution units within a single general-purpose workstation-class computer. We do not see value for healthcare delivery organizations in proactive customer disclosure and purchasing control at this level, even in the event of another vulnerability such as Spectre."
Tiers of Risk
In the draft guidance, the FDA proposes defining two tiers of devices based on their cybersecurity risk.
Tier 1, or "higher cybersecurity risk" products include devices capable of connecting - wired or wirelessly - to another medical or non-medical product, or to a network or the Internet. In addition, a cybersecurity incident affecting these devices could directly result in patient harm to multiple patients, FDA writes in the draft guidance.
Some examples of Tier 1 devices are implantable cardiac devices, such as defibrillators and pacemakers; infusion and insulin pumps; and the supporting connected systems that interact with these devices, such as home monitors and those with command and control functionality such as programmers, the FDA proposes.
"Many of our members continue to be confronted with some manufacturers who refuse to take action on known vulnerabilities."
Tier 2, or "standard cybersecurity risk" medical devices are those that don't meet the criteria for tier 1.
Some of the commenters were critical of FDA's cyber risk tier proposals.
"We find this proposed two-tier framework confusing and unnecessary given its superficial similarity to FDA's risk classification scheme for medical devices," AdvaMed wrote.
"There are significant differences between device types that could fit within the proposed tiers. For example, small implanted medical devices, such as ICDs and pacemakers, have significantly more engineering constraints limiting their hardware and software capabilities when compared to larger medical devices used, for example, in a hospital setting," the group wrote.
"We believe FDA should remove the two-tiered approach in favor of a single risk-based approach that addresses the agency's cybersecurity expectations based on the exploitability of a device vulnerability and the severity of patient harm - if exploited."
While AdvaMed argued against FDA's draft two-tier risk approach, GE Healthcare proposed FDA add a third tier.
"We suggest that the addition of an explicit criteria for an additional Tier 3 for 'low cybersecurity risk' [that] may make the entire tiering system more usable," GE Healthcare wrote.
"For example, a device whose security threats are limited to impact only one device at a time by requiring physical access to exploit could be an example of a Tier 3 low cybersecurity risk."
But it wasn't only medical device makers that found the FDA's draft cybersecurity risk tier proposals lacking.
"We recommend FDA expand the discussion of device tiers to address the responsibility of all stakeholders to ensure security of and risk mitigation of medical devices exploiting network vulnerabilities," Kaiser Permanente wrote.
"Devices can be risk vectors for the enterprise and patients without causing direct harm. For example, a network security vulnerability in a device could allow exposure and/or modification of patient data in the electronic medical record resulting in patient harm indirectly," the organization wrote.
Some groups submitting comments also offered up other suggestions about actions FDA should consider taking for improving medical device cybersecurity.
The College of Healthcare Information Management Executive suggests FDA rethink its definition of medical device in the context of cybersecurity. "The definition should recognize that medical devices are part of an overall ecosystem which includes but is not limited to networks, switches, firewalls, applications and other components that come with 'medical devices'," CHIME - an association of healthcare CIOs and CISOs - wrote.
"Many of our members continue to be confronted with some manufacturers who refuse to take action on known vulnerabilities choosing either to categorize them as 'controlled risks' or saying they will wait until the FDA recalls a device," CHIME complained.
"For example, many of our members still report that patch MS17-010 - the patch that protects against WannaCry - has still not been deployed to certain medical devices due to the manufacturers classifying that vulnerability as a controlled risk," CHIME wrote.
This situation continues two years after the global ransomware attacks involving WannaCry and NotPetya CHIME adds.
"From our perspective both of these scenarios are unacceptable. Importantly, we believe that the FDA must be as explicit as possible with manufacturers around their expectations. Without clear direction to the manufacturers about what is required, the burden of proof for demonstrating a standard has been met and devices are secure will be shouldered by providers."