FDA-2018-D-3443 – Updated Guidance For Medical Devices With Cybersecurity Risks
The draft guidance updates the Agency’s 2014 final medical device cybersecurity guidance and encourages sponsors to take a total product lifecycle approach to security. It is also expected to improve premarket review efficiency and help ensure that marketed devices are protected against cybersecurity vulnerabilities.
Velentium’s Gates calls the new draft “a much better document” than the 2018 one that received substantial pushback from medtech manufacturers.
Software Bill of Materials (SBOM)
The FDA recommends that medical device manufacturers have a software bill of materials (SBOM) to identify and monitor cybersecurity vulnerabilities throughout the product life cycle. The SBOM should include all off-the-shelf, open source, and critical components used by a medical device.
This includes commercial software, third-party libraries, and custom-code. Larger medical device companies may have their own in-house programming talent, but smaller companies rely on the collective prowess of a potpourri of development firms to write the code for their devices and applications.
Many of these developers work on a freelance basis, and their contributions are often distributed across multiple projects. These projects could be in different programming languages and on various platforms, making them difficult to track. Furthermore, many of these components are constantly updated and patched, and it can be challenging to find the correct version of a component for a specific application. Consequently, a SBOM must be searchable to help customers quickly find the right version of a component.
Software Configuration Management
A software configuration management system (SCM) monitors the elements that make up software in order to keep track of any changes. The goal of SCM is to ensure that all elements of a software product remain up-to-date, available and functioning at the highest level possible.
A good SCM tool will help streamline team operations. For example, it can automatically record what parts of a software project are completed and where a team member is located. This helps to eliminate problems that may arise due to communication barriers caused by geographic or time zone differences.
SCMs also enable teams to work together more effectively, regardless of their location. This is especially important when working with off-the-shelf (OTS) software components that are being incorporated into a medical device product. This is because OTS software is often used by multiple health care facilities. The FDA recommends that sponsors provide the recommended documentation in a premarket submission for such OTS software, including clauses and subclauses based on the FDA-recognized version of ANSI/AAMI/IEC 62304:2006 & A1:2016, Medical device software – Software life cycle processes, including clause 5.1 (“Software development planning”), clause 6 (“Software maintenance process”), and clause 8 (“Software configuration management process”),54 among others.
Software Update and Patch Management
Patch management helps keep software, devices and systems up to date to prevent vulnerability attacks. It also improves performance and boosts productivity.
Security patches remediate specific vulnerabilities, which hackers often target. For example, the 2017 WannaCry ransomware attack spread over networks that didn’t apply a Microsoft patch to fix the flaw.
Testing patches before deployment is crucial to ensure that they don’t introduce any other problems (called software regressions). A centralized patch management server streamlines the process by automating all aspects of patch deployment, from identifying missing patches and checking their compatibility to operating system and third-party application components.
Effective patch management is essential for meeting industry security standards and staying compliant with regulations such as GLBA, HIPAA or PCI DSS. Failure to adhere to these standards can lead to fines, penalties and the reputational damage associated with data breaches. A proactive patch management program helps businesses avoid these risks. The FDA is working to establish standardization in this area, which should bring transparency to a patch management procedure that’s been historically fragmented and opaque.
The final guidance is a significant step forward from an earlier draft issued in 2018 that got pushback from stakeholders. The updated document lays out a total product lifecycle approach for medical devices with cybersecurity risks and provides recommendations for sponsors to include in premarket submissions.
The new guidance also recommends that manufacturers include information in premarket submissions about their software components and how the components can be updated or patched. This should bring more transparency to a process that has been idiosyncraticly tracked and not transparently shared across the industry, said Velentium’s Gates.
FDA is asking for SBOM to be in a format similar to the one that NTIA created as part of its multistakeholder process. It also suggests that sponsors use a tool to automate the production of machine-readable SBOM. The agency is being careful not to prescribe a specific vendor or tool for this purpose, Fu said. This is because NTIA’s effort to standardize SBOM formats and tools is ongoing.