Key takeaways from FDA’s contracted report on legacy medical device cybersecurity
A new FDA-commissioned report provides recommendations on the next steps in managing cybersecurity risks for medical devices. The FDA, industry and international regulators have been working to determine which policies may mitigate cybersecurity risks for “legacy” medical devices no longer supported by manufacturers. The report offers recommendations that focus more on filling knowledge and infrastructure gaps and less on potential guidance for device manufacturers.
“Legacy” medical devices, cybersecurity, and ongoing regulatory policy challenges
- Legacy medical devices are those that are no longer supported by their original manufacturers. While these products were legally marketed, and are still in use, they are no longer supported – meaning that the manufacturer may no longer be servicing or repairing them. This raises some unique questions for cybersecurity maintenance – per the FDA, “Legacy medical devices are those that cannot be responsibly protected against current cybersecurity threats, and these devices can pose significant risks to the health care sector” as “cybersecurity controls that may have been effective at their point of purchase may no longer be adequate now” or going forward.
- The International Medical Device Regulators Forum (IMDRF) finalized a technical document in April 2023 on legacy device cybersecurity. That document sought to clarify the framework for legacy devices that was articulated in the IMDRF N60 guidance. As such, it clarifies the differences between “End of Support” (EOS) and “End of Life” (EOL) for a medical device and describes the regulatory responsibilities at each stage. Per IMDRF’s assessment, a device that is at the end of its lifecycle, per the manufacturer, triggers a “limited support” phase, at which point the “customer [the device’s user] begins planning for activities and end of support.” This phase ends at the end of support (EOS), and the device becomes a legacy device. Per that guidance: “No support should be expected for any medical device past the established cybersecurity EOS date.”
- Also in 2023, the Healthcare Sector Coordinating Council (HSCC) published Health Industry Cybersecurity Managing Legacy Technology Security (HIC-MaLTS). This document sought to describe best practices for cyber risk management for legacy devices, describing recommendations for practices at EOL and EOS – as well as a third option, End of Guaranteed Support (EOGS). Similar to the IMDRF, HSCC recommended that there should be language in contracts between health delivery organizations (HDOs) and device manufacturers about “support timeframes” and that device manufacturers should be sure to communicate transparently about EOL/EOGS/EOS status. As recognized in that document: “It is important to consider that, even after a technology has been declared EOL/EOGS/EOS or has become legacy, it may still have useful life from the HDO perspective due to various factors,” and further outlines best practices for the “transfer of responsibility” from the manufacturer to the user.
- The new cybersecurity requirements have left device manufacturers wondering about the implications for legacy devices under FDA oversight. In November 2023, the FDA finalized new guidance outlining what cybersecurity information is expected in medical device submissions and as part of the quality system regulations. That guidance was published as the FDA’s new authority to require cybersecurity information in certain medical device submissions (i.e., those for “cyber devices”) came into effect. However, as AgencyIQ has previously discussed, the final guidance did not necessarily address legacy devices or even re-submissions of legacy devices, leaving industry with questions about what to do when moving forward with an older device.
- There are also questions about what to do for EOS devices that are not being re-submitted. In 2021, the FDA issued a Discussion Paper outlining perspectives on medical device remanufacturing for digitally enabled medical devices, which included cybersecurity considerations. “Remanufacturing” is an activity that changes the fundamental performance or safety of a legally marketed device (e.g., swapping out certain components) and is separate from servicing, in which a device is brought back up to its authorized performance specifications. While remanufacturing implicates regulatory requirements, and in particular, quality system regulations, servicing does not. There has been a lot of confusion about the application of these terms and oversight of these activities when they are conducted by entities other than the medical device’s manufacturer, such as third-party servicers.
- For legacy devices, the discussion paper proposed a potential solution of cybersecurity “responsibility agreements,” similar to those discussed by the IMDRF above. This concept proposes that the device manufacturer designs and executes an agreement so that the user understands what to do about an unsupported device for which cascading cybersecurity issues would not be able to be addressed by servicing alone. Such an agreement would need to help the user understand the risks they would “inherit” in using a legacy device from a cybersecurity perspective. While the agency solicited feedback on that paper, it has not taken additional action on the subject.
This month, a new FDA-commissioned report offers some insight on next steps
- The report was published by the MITRE Corporation but was contracted by the FDA. Per the agency, “the FDA contracted with MITRE to develop the report, Next Steps Toward Managing Legacy Medical Device Cybersecurity Risk,” which “outlines practical approaches and recommendations that build on previous work and can further drive sector-wide legacy device cyber risk management efforts.”
- The report provides a landscape analysis, using interviews to outline the scope of the issues for legacy devices currently in use. Based on this input, MITRE then “identified challenges in adopting the processes” for managing legacy device cybersecurity risk, such as the processes outlined by IMDRF and HSCC. The report cites the work of these groups but notes that “some challenges and gaps remain in implementing those recommendations.” These include the data needed to inform decisions by health delivery organizations (HDOs) about continued use of a device, defining the lifecycle phases clearly and consistently between device manufacturers and HDOs, and the HDO-specific processes of taking responsibility for medical devices.
- The report offers several recommendations, many of which focus on enhanced relationships and communication between the medical device manufacturer (MDM) and HDO. These largely relate to building out a system, or investing in infrastructure or research, that would allow for more meaningful communication about EOS/EOGS/EOL timelines, the implementation of a transfer of responsibility, and what practical implications may look like.
- Under the umbrella of “shared responsibility over the medical device lifecycle,” the report offers four distinct recommendations: 1) Piloting a data collection project to inform understanding of how HDOs make decisions about legacy devices; 2) Developing templates for information sharing agreements (ISAs) between MDMs and HDOs; 3) Establishing a security architecture working group that would benefit both MDMs and HDOs; and 4) Investing in research on “modular” design for medical devices to allow for legacy components to be more easily swapped out.
- A fifth recommendation focuses on vulnerability management, with the report citing the resource-intensive and time-consuming nature of the current process. One complexity for HDOs is understanding the role that different entities (e.g., MDMs, public disclosures, government safety alerts from the FDA or the Cybersecurity and Infrastructure Security Agency (CISA)) play in notifying the HDO of a cybersecurity vulnerability. The report from MITRE recommends a study on vulnerability management processes, which would include determining the feasibility of a repository, maintaining protection of MDM proprietary information, and ensuring that vulnerability information is actionable.
- The final three recommendations are for HDOs, and include building out and developing a cybersecurity workforce with core competencies, as well as developing a system of “mutual aid across HDOs, particularly between well-resourced and less resourced HDOs.”
Analysis and what’s next
- As noted above, the FDA asked for this report. The assessment was intended to build on (and update) the 2017 HHS Healthcare Industry Cybersecurity Task Force Report and complement the more recent work of the IMDRF and HSCC. The report ultimately sought to address the existing gaps in the system that are holding up implementation and adoption of the best practices identified by IMDRF and HSCC.
- Most of the recommendations don’t really lend themselves well to new FDA guidance. The report’s recommendations focus on research and infrastructure gaps (e.g., assessing the feasibility of having a single repository of vulnerability disclosure information) and areas in which there could be more coordination and understanding between MDMs and HDOs, such as partnerships where each sector shares their perspectives on networking and security. However, the report and its recommendations don’t call out distinct, discreet areas where the FDA could issue guidance for device manufacturers on the steps they would need to take to ensure that they have sufficiently fulfilled their responsibilities for devices as they wind down guaranteed services and the devices transition to legacy status.
- There are some interesting ideas, including the development of templates for information sharing agreements (ISAs), or the agreements that “describe expectations for cybersecurity design and practices between MDMs and HDOs.” As the report notes, these are usually initiated by HDOs, but “given the complexity and diversity of these agreements, it would be beneficial for HDOs and MDMs to have template ISAs to be used as models to streamline the process and ensure that appropriate expectations are included for managing legacy medical device cybersecurity risks.” Having a template to work off that can “include expectations for security controls, device access (e.g., credentials), identification and timely management of product security vulnerabilities for products sold and supported by the vendor for the product life, and potential requirements for support after useful life period has expired for some legacy capital devices” could reduce the guesswork for manufacturers.
- What’s next? So far, it looks like the actual expectations for cybersecurity for legacy devices are still a work in progress. The FDA’s new contracted report lays out the infrastructure gaps that are still hampering adoption of best practices, as well as information gaps that are hindering the development of new or more comprehensive best practices going forward. While the FDA is expected to issue a final remanufacturing guidance in FY2024, according to CDRH’s guidance agenda, it seems unlikely that this document will incorporate the cybersecurity approaches from the 2021 discussion paper.