Blog Tag: medical device cybersecurity
FDA Publishes Draft Medical Device Cybersecurity Guidance Amidst Continued Cybersecurity Concerns
On April 08, 2022, the Food and Drug Administration (FDA) published a draft cybersecurity guidance document for medical devices, titled Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. The draft guidance covers a wide range of issues, including cybersecurity device design, labeling, and documentation. The guidance is intended to provide medical device makers a road map on how to satisfy the FDA’s quality system and patient safety regulations and how to address cybersecurity considerations within their premarket submissions.
The FDA’s draft guidance was released shortly before a report underlining the cybersecurity security practice deficiencies of various medical device makers. On April 20, 2022, Cybellum – a company specializing in assessing product security – reported the results of its 2022 medical device cybersecurity survey in an article titled Medical Device Cybersecurity: Trends and Predictions. The survey found that, although 83% of the medical device companies surveyed saw device security as a competitive edge, 75% of respondents noted that they do not have a dedicated senior management who takes responsibility for device cybersecurity.
The Cybellum survey also revealed that only about a quarter of the medical device companies surveyed (27%) generate and maintain a Software Bill-of-Materials (SBoM) for their products. An SBoM is a formal record containing the details and supply chain relationships of various components used in building software. President Joe Biden previously highlighted the importance of an SBoM in his Executive Order on Improving the Nation’s Cybersecurity from May 2021. Moreover, the National Telecommunications and Information Administration published The Minimum Elements for an SBoM on July 21, 2021, in an effort to bring “transparency to the components and connections within and across supply chains.”
The FDA’s draft cybersecurity guidance document is available here and is available for stakeholder comments until July 7, 2022.
Medical Device Cybersecurity Survey Report Released
Cybellum released a medical device survey report on April 20, 2022 entitled “Medical Device Cybersecurity: Trends and Predictions.” The company’s website states that their “mission is to enable manufacturers and their suppliers to develop and maintain products that aren’t just safe, but are also secure.”
According to the company website, in preparing the new report, Cybellum “asked top security experts from hundreds of medical device manufacturers, about their main challenges and how they plan to solve them in 2022, and beyond.”
Cybellum lists the following key findings from the report:
Almost 90% admitted they need to improve on key areas, such as SBOM [software bill of materials] analysis and compliance readiness
Over 55% do not have a dedicated response team (PSIRT) in place
Almost 55% increased their cybersecurity budget by more than 25% in 2022
Other media outlets described the report as finding “widespread cybersecurity noncompliance despite rising investment,” and “[m]ore than half of medical device companies think they are noncompliant with cybersecurity regulations, standards and guidelines.” Further, “compliance with requirements ranged from 54% for Food and Drug Administration premarket submissions to 37% for International Medical Device Regulators Forum (IMDRF) cybersecurity principles and practices.”
According to MedTechDive, the report states that “[m]ore than 80% of respondents see device security as a competitive advantage and almost every polled company increased its security budget this year. However, 78% of those surveyed indicated they are doing the minimum to achieve compliance and 80% view device security as a ‘necessary evil’ imposed by regulators.”
According to a press release by Cybellum, “[m]edical device cybersecurity has become an extremely complex challenge. With medical devices becoming software-driven machines, and the rapid pace at which cybersecurity risk evolves due to new vulnerabilities, complex supply chains, new suppliers, and new product lines, it has become seemingly impossible to keep the entire product portfolio secure and compliant at all times. It is now more important than ever to learn from peers and try to find the best way forward.”
The full text of the survey report can be found here.