Connect with us

International Circuit

Industry seeks changes to FDA’s new guidance on device cybersecurity

The medtech industry is seeking modest changes and clarifications to new guidance on device cybersecurity issued by the US Food and Drug Administration (FDA).

In March, FDA issued draft guidance updating its final guidance from September 2023 on cybersecurity of medical devices. The update provides more details on the types of devices that fall under section 524B(c) of the Food, Drug, and Cosmetic Act (FD&C Act) and how companies can comply.

Comments were due on 13 May. The Advanced Medical Technology Association (AdvaMed) and the AdvaMed Medical Imaging Division requested a series of clarifications to the update on behalf of their industry members.

For example, AdvaMed requested changes to FDA’s wording on what devices connected to the internet are, asking the agency to clarify its thinking.

“This change seeks to eliminate misunderstanding the word internet to be broad and include connecting to any untrusted network via any means possible,” AdvaMed wrote. “This helps make the following list make more sense since RF (Radio Frequency) communications such as BLE (Bluetooth Low Energy) don’t have IP addresses but can be used to hop between a device connected to a network with an IP (Internet Protocol) address and a device associated to it with BLE.”

The MRI patient monitoring and infusion pump technology company Iradimed commented that it is concerned that FDA’s interpretation of ability to connect to the internet is overly broad.

“Under FDA’s interpretation, devices with simple technological characteristics such as any sort of radio communication feature or I/O port would be viewed as having the ability to connect to the internet, even if that device is incapable of creating an internet connection on its own, i.e., without a third party attachment,” Iradimed wrote.

The agency should clarify that it is referring to products that have connection capability within the device itself and also are intentionally connected to the internet, Iradimed suggested.

AdvaMed requested that the agency clarify that devices that meet the definition of network connectable by the American National Standards Institute and Underwriters Laboratories (RELATED: UL wades into cybersecurity of medical devices, Regulatory Focus 8 November 2018).

“The UL (Underwriters Laboratories) standard is an FDA consensus standard and is referenced in the FDA Guidance, though not specifically regarding this topic,” AdvaMed wrote. “It includes a definition that defines Network-Connectable as any device, component or software that can be connected via physical, wireless, cellular and other non-physical transmission means to another device, component or software or groups of devices, components, or systems of software.”

AdvaMed noted that the definition of “cyber device” helps identify products that require management of cybersecurity risks and that documentation on risk management should be scaled according to the degree of risk.

“For instance, if all physical ports have been intentionally physically rendered inoperable during manufacturing as part of the design documentation could simply state this and justify a smaller amount of cybersecurity requirements and testing since the attack surface is near-zero,” AdvaMed wrote. “Cybersecurity risk and scale of documentation must be adequately justified instead of using the definition of cyber device to attempt to remove the requirement to consider cybersecurity risks entirely.”

AdvaMed also asked FDA to clarify what “unacceptable vulnerability” of devices means and to note that this is based on manufacturers own security assessments.

“For instance, a vulnerability would be acceptable if it is not exploitable because there is no use of the vulnerable function or software allowing the vulnerability to be leveraged,” AdvaMed wrote “Also, generally software should be updated even when “acceptable vulnerabilities” are present to maintain the supportability of the software. However, the term unacceptable vulnerability from 524b is not a standard definition.”

AdvaMed recommended adding this text about end-of-life operating systems from FDA’s electronic submission template and resource (eSTAR) program to the guidance.

“Operating systems that are no longer supported or nearing end of support will not be considered cybersecure. Operating systems include, but are not limited to, commercial computer (e.g., Windows, Linux, Mac OS), mobile device (Android, iOS), and real-time operating systems.”

This will help ensure clarity and consistency, AdvaMed suggested.

The draft guidance directs that manufacturers of 510(k) devices should consider new risks and vulnerabilities in comparison to the predicate device submission and this assumes that sponsors are aware of cybersecurity measures taken.

“Cybersecurity measures are often proprietary and not published in the same way as clinical performance and efficacy,” AdvaMed wrote. Based on the proprietary and private nature of many cybersecurity measures it is not fair to expect that sponsors of 510(k) submissions are aware or have access to non-public information on the predicate device when developing products.” RAPS.org

Copyright © 2024 Medical Buyer

error: Content is protected !!