On October 18, 2018, the Food and Drug Administration (“FDA”) released draft guidance outlining its plans for the management of cybersecurity risks in medical devices. Commenters now have until March 17, 2019, to submit comments to the FDA and get their concerns on the record. More information about submitting comments can be found at the end of this post.

This FDA guidance revision will replace existing guidance released in 2014, which as you can see, includes recommendations, but does not attempt to classify devices. The recent draft guidance takes a more aggressive posture and separates devices into those with a Tier 1 “Higher Cybersecurity Risk” and those with a Tier 2 “Standard Cybersecurity Risk.”

Tier 1 devices are those that meet the following criteria:

1) The device is capable of connecting (e.g., wired, wirelessly) to another medical or non-medical product, or to a network, or to the Internet; and

2) A cybersecurity incident affecting the device could directly result in harm to multiple patients.

Tier 2 devices are any medical device that does not meet the criteria in Tier 1.

The FDA has varying guidance for devices depending on the Tier of the device. The FDA provides guidance for Tier 1 and Tier 2 devices on applying the NIST Cybersecurity Framework, providing appropriate cybersecurity documentation, and adhering to labeling recommendations.

In recommending the NIST Cybersecurity Framework, the FDA relies on 21 CFR 820.30(g) and recommends manufacturers provide a reasonable assurance of safety and effectiveness in their premarket submission. The FDA recommends that devices with any level of cybersecurity risk should meet the requirements for a “Trustworthy Device.” These are devices that: (1) are reasonably secure from cybersecurity intrusion and misuse; (2) provide a reasonable level of availability, reliability, and correct operation; (3) are reasonably suited to performing their intended functions; and (4) adhere to generally accepted security procedures.

The requirements for Tier 1 and Tier 2 labeling and documentation differ significantly. Tier 1 devices should include documentation that demonstrates how the device design and risk assessment incorporate the recommended design controls. The recommended design controls must explain in detail how a manufacturer will design their devices to:

(1) prevent unauthorized use,

(2) ensure trusted content by maintaining code, data, and execution integrity,

(3) maintain confidentiality of data,

(4) detect cybersecurity events in a timely fashion,

(5) respond to and contain the impact of a potential cybersecurity incident, and

(6) recover capabilities or services that were impaired due to a cybersecurity incident.

Tier 2 devices have the option of following the Tier 1 standard (documenting how they have incorporated each design control) or Tier 2 devices can provide a risk-based rationale for why certain recommended design controls are not appropriate.

Labeling recommendations are often the most sensitive, as they are the most likely aspect of the devices to be noticed by purchasers and may have an impact on the perceived risk of the device, separate from any actual risk. The FDA requires labeling that includes adequate directions for use and does not include any false or misleading statements. The FDA will consider labeling misleading if the labeling fails to reveal material facts with respect to consequences that may result from the use of the device under the prescribed or customary conditions of use. The proposed guidance includes a detailed 14 point recommendation for cybersecurity labeling — something manufacturers should closely consider.

If you manufacture devices that will be subject to these regulations be sure to add your comments before the deadline. Submit electronic comments to https://www.regulations.gov and submit written comments to the Dockets Management Staff (HFA-305), Food and Drug Administration, 5630 Fishers Lane, rm. 1061, Rockville, MD 20852. A copy of the notice with additional instructions for providing comments can be found here.

Our take

Manufacturers of these devices should promptly submit their comments to the FDA in order to address any concerns they may have. As an important take-away, devices only fall into Tier 1 if a cybersecurity incident could harm multiple patients. This gives some insight into the FDA’s target, devices where a single incident could have network effects to a community of patients. Because more and more devices with industry leading features will fit into Tier 1, manufacturers will be best served to involve themselves early in the FDA’s guidance drafting process.