FDA Device Cybersecurity Guidance Clears White House Review

The FDA’s long-awaited draft guidance on medical device cybersecurity has now cleared administrative review at the White House’s Office of Management and Budget, clearing the way for its release.

Background: The FDA’s cybersecurity approach so far.

• CDRH currently has several guidance documents on medical device cybersecurity. This includes a final guidance document on cybersecurity expectations for developers using off-the-shelf (OTS) software in networked devices (as well as an accompanying guidance document for health care organizations) that were finalized in 2005. In addition, the agency has a final guidance document on pre-market submission expectations related to cybersecurity, finalized in 2014, and post-market management of cybersecurity concerns, finalized in 2016.
• In 2018, the agency drafted an update to its 2014 pre-market guidance. That draft guidance outlined an updated approach to the 2014 pre-market guidance, citing the heightened “need for effective cybersecurity” in an increasingly connected health care environment, where “cybersecurity threats… have become more frequent, more severe, and more clinically impactful.”
• The updated draft guidance outlined a two-tiered approach to cybersecurity submissions, with stratified pre-market requirements based on the risk presented by the potential for a cybersecurity incident, as well as recommendation on a cybersecurity bill of materials (CBOM) and system-level threat modelling.
• As AgencyIQ has previously discussed, industry expressed several significant concerns with the guidance, including issues with the two-tier approach, how multiple-function devices (i.e., products with one device function and one non-device function) or interoperable device developers would be affected, and the device industry’s ability to meet FDA’s expectations since cybersecurity has not traditionally been subject to FDA oversight.
• Despite rumors that FDA was working to finalize the guidance, it never did. However, FDA has continued to focus on cybersecurity in other ways. Following a 2019 two day public workshop on the draft guidance, the agency worked with the Medical Device Innovation Consortium (MDIC) to build tools that would help advance cybersecurity expertise within the device industry, including threat modelling bootcamps for regulatory staff, work to benchmark industry’s cybersecurity maturity, and the development of cybersecurity best practices playbook, which was published in November 2021. In addition, the agency has recognized cybersecurity-related medical device development tools (MDDTs), issued a white paper on how developers should communicate about cybersecurity issues, and issued new guidance on the regulation of software products and MFDs, which incorporate cybersecurity considerations.
• In January 2021, CDRH also brought in Archimedes Center for Medical Device Security (University of Michigan) founder Kevin Fu to serve as the new Acting Director for Medical Device Cybersecurity. In this role, Fu has highlighted the agency’s work on a revised draft cybersecurity guidance. As AgencyIQ has previously explained, CDRH’s plan is not to finalize the 2018 draft guidance, but is to instead issue an updated draft. According to regulators, the new draft will provide recommendations on a more comprehensive view of cybersecurity activities, rather than solely the cybersecurity-related content in pre-market submissions.

That updated draft guidance is now cleared for publication.

• According to the White House Office of Information and Regulatory Affairs’ (OIRA)listing, the draft guidance has now cleared their review. OIRA, which conducts administrative reviews of agency actions as the final step before they can be released, lists the guidance as “consistent with change,” which means that the Office made some changes to the content of the draft during this process. Notably, this is a common determination from OIRA, and does not indicate the extent or source of the change. Having cleared review, the FDA is now free to publish the guidance – likely very soon.
• As expected, the new draft appears to extend beyond pre-market considerations. The title of the guidance listed at OMB is “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” This would align with the FDA’s position that cybersecurity will need to be an iterative process for developers, as Fu and then-Digital Health Center of Excellence (DHCoE) Director Bakul Patel discussed in June 2021. At the time, Patel (who now serves in a different position) highlighted the “continuously moving, emerging, and evolving area” of cybersecurity policy that went beyond “just premarket and postmarket” concerns.
• The draft would come as both the agency and Congress are considering new cybersecurity measures. As AgencyIQ has discussed, the FDA’s FY2023 budget request specifically asks Congress for new authority to require cybersecurity information in pre-market submissions and allow for post-market regulation of devices regarding cybersecurity issues. Notably, legislation to this effect (the Protecting and Transforming Cyber Health Care (PATCH) Act) was recently introduced in the House by Representative Michael Burgess, which is being considered for inclusion in the upcoming medical devices user fee program reauthorization (MDUFA V). That bill would also add cybersecurity-related issues to the definitions of “adulteration” and “misbranding,” which would make failure to comply with these regulatory expectations (e.g., supplying the SBOM) a violation of the Federal Food, Drug and Cosmetic (FD&C) Act – and opening up the ability for the FDA to take enforcement action against non-compliant firms.

• To contact the author of this item, please email Laura DiAngelo.
• To contact the editor of this item, please email Alexander Gaffney.

Key Documents and Dates

• OIRA Record