On September 25, 2023, the U.S. Food and Drug Administration (FDA) issued the final guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. This guidance provides recommendations for medical device manufacturers on cybersecurity considerations and what information to include in premarket submissions. It replaces the FDA’s guidance Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, issued on October 2, 2014.
Given my familiarity and experience with the FDA’s 2014 guidance and the supplemental draft guidances, the 57-pages of this guidance was a fairly quick and familiar read. The FDA provided clarifications on the more fuzzy aspects of previous recommendations and also made some newer notions that I find to be particularly interesting, considering an obvious gap in the industry to provide runtime device integrity. What is being done to prevent the exploitation of vulnerabilities in real-time? Not just waiting around for a patch…
We know that medical devices have historically not been designed with cybersecurity in mind, and even if they are, they operate in widely varying security architecture environments, making it difficult to ensure robust security against the many evolving and sophisticated cyber threats. Many of these ambiguities could be resolved at runtime through proper device execution integrity techniques.
Going beyond security testing and security risk management, the guidance recommends that device manufacturers leverage data and code integrity, specifically to “Validate that all data originating from external sources is well-formed and compliant with the expected protocol or specification.” This is a consideration pertaining to preventing memory overflow prevention and improper input validation vulnerabilities on devices.
The FDA indicates Host-based Intrusion Detection/Prevention Systems (HIDS/HIPS) as an example to address the need for runtime intrusion and prevention systems as execution integrity, in addition to proper event and data logging for incident response and anomaly detection. Leveraging this type of technology ensures execution integrity of the device. This positions the device to be secure at any point in time, regardless of the manufacturer’s current patching cadence and capability. As opposed to reactively chasing vulnerabilities, we can proactively anticipate them and halt them in the event of a malicious attack.
I’m personally excited by the FDA’s recognition of and recommendations for this complex area of cybersecurity. The guidance is taking the medical device and healthcare industry a leap forward with the understanding that attacks happen in real-time and cannot always be protected offline or months later with a patch. At the end of the day, the most important consideration for all of us involved with the manufacturing of medical devices, is that a patient could be relying on the medical technology that is under attack, and attack prevention is essential to ensuring the safety of the device and hence, the safety of the patient.
On November 2, 2023, the FDA is hosting a webinar for industry and other stakeholders interested in learning more about this guidance.