Concerns Raised Over FDA Cybersecurity Draft Guidance

In April 2022, the FDA published a draft guidance concerning cybersecurity medical devices. The Agency sought to help medical device manufacturers with integrating cybersecurity practices into their products in the premarket period and to help ensure security risks were addressed for the duration of the products lifetimes. The latest update to the guidance included recommendations related to device design and labeling. The FDA also encouraged manufacturers to include threat models, a requirement for a software bill of materials designed to improve data safety and security.  

The FDA had created the new draft guidance after receiving concerns on its 2018 guidance. The latest guidance is five times larger than its latter version, as a result of the ever-changing landscape of cybersecurity. In an attempt to issue a comprehensive guidance, the FDA released a draft guidance to encourage feedback. The FDA received more than 1,800 comments from various sources including the public, medical device manufacturers, and other stakeholders. 

A significant portion of the 1,800 comments were submitted by patients with diabetes and their healthcare providers. Concerns were raised over potential restrictions of access to medical devices and information. Despite the deadline for public comments finalizing on July 7th, the docket is still inundated with additional public comments expressing the same concerns.. 

Several health organizations issued concerns regarding the draft guidance. A regular concern raised related to the lack of direction on the management of cybersecurity for medical devices of lower risk. Typically, risk-based decision-making is a key component of the FDA’s medical device regulations. However, the FDA does not specify what elements are expected for devices of this low risk. Health organizations such as AdvaMed and Philips call for a timeline from the publication of the final guidance to allow sponsors to review, adopt, and implement the guidance. 

The Bringing Real-world Insight for Device Governance and Evaluation (BRIDGE) has requested the FDA to incorporate least burdensome principles into their guidance. Least burdensome is a concept in which the minimum amount of information necessary is used to adequately address a regulatory issue through the most efficient manner. Other stakeholders requested that the FDA use cybersecurity standards from other industries such as the FDO protocol and MITRE’s Threat Assessment and Remediation Analysis (TARA) for medical devices. The FDA intends to review the issues mentioned above and several other concerns raised in order to establish a fully comprehensive guidance on the cybersecurity of medical device systems.