Unlike other regulatory entities, the FDA has a separate guidance for both premarket and postmarket considerations for medical device cybersecurity, an approach some stakeholders have argued is cumbersome. Despite those concerns, the agency has developed a discussion paper for cybersecurity for medical devices serviced by third parties, a document that may expand the manufacturer’s responsibilities beyond the conventionally understood total product life cycle (TPLC).
The FDA released the discussion paper for cybersecurity for serviced medical devices simultaneously with a draft guidance regarding the distinction between device servicing and remanufacturing. The June 17 FDA statement primarily highlights the servicing/remanufacturing draft, but cites a need for collaboration to address the challenges associated with cybersecurity when a third party services a medical device.
The discussion paper describes four general policy considerations, such as privileged access, which can be built in by the OEM to allow third parties to service the device, and prevention and mitigation of cybersecurity vulnerabilities. Perhaps the key consideration in this discussion paper – at least in terms of how the FDA distinguishes the paper from previous policy documents – is found in the section on product life cycle challenges and opportunities. The paper states that the original equipment manufacturer (OEM) may at some point determine that it can no longer feasibly support the device, even though the operator of the device or system continues to find the equipment clinically useful.
One solution to this dilemma may be the execution of a responsibility agreement between the OEM and the healthcare establishment, but the paper is vague at best as to how the FDA perceives the OEM’s responsibilities in this scenario. This is particularly salient given the absence of any signal from the agency regarding the extent to which a third-party servicing entity would assume responsibility for device performance when the OEM has declared it can no longer support the device. The paper makes reference to ANSI/AAMI/IEC 80001:2010 for an examination of the question of responsibility, but the International Standards Organization indicates this standard is up for revision or replacement, adding a layer of uncertainty as to what an FDA draft guidance may prescribe.
The question is also likely to arise in connection with systems that are in use in underserved communities, where clinical sites are more likely to resort to the use of legacy devices due to budgetary constraints. The FDA refers to the March 18, 2020, guidance by the International Medical Device Regulators Forum (IMDRF) to provide a definition of a legacy device, which is a device that cannot be reasonably protected from cyberthreats by means of updates and/or compensating controls.
Premarket Cybersecurity Guidance up for Revision
The issues surrounding third-party entities that service medical devices has proven controversial for manufacturers of imaging equipment for several years, and the intensity of the controversy has ebbed little as a February 2021 statement by the Medical Imaging & Technology Alliance demonstrates. Despite the history of this controversy, the FDA discussion paper represents a significant departure from previous policies, given that cybersecurity for serviced devices was treated concurrently with the general theme of device servicing rather than as a separate policy point in a 2018 paper on the question.
One point that might be taken into consideration as a matter of timing is that the FDA intends to rewrite the 2014 final guidance for cybersecurity in premarket submissions. This is part of the agency’s guidance agenda for fiscal 2021, and while the new draft was not available as of the publishing of this blog, June 24, 2021, the COVID-19 pandemic has made it difficult for the agency to maintain its guidance development pace. It seems likely that staff at the FDA’s Center for Devices and Radiological Health (CDRH) staff will finalize the rewrite of the premarket cybersecurity guidance before posting a draft guidance for the cybersecurity third-party servicing policy, although the 2016 final guidance for postmarket cybersecurity considerations is also salient, perhaps more so than the premarket guidance.
Cybersecurity considerations for software-enabled medical devices, including firmware, are within the scope of the discussion paper, which also includes:
- Programmable logic features;
- Software “that is a medical device;” and
- Devices deemed to be part of an interoperable system.
In the paper’s discussion of prevention and mitigation of cybersecurity vulnerabilities, the FDA states that servicing entities play a significant role in deploying patches and software upgrades to deal with cybersecurity threats. In turn, OEMs can facilitate better cybersecurity by enabling these third parties to assist in maintaining cybersecurity, but the paper predictably omits the question of third parties in a mention of the Quality System Regulation. The FDA invited all stakeholders to collaborate on methods for efficiently developing and validating changes to the software to sustain a reasonable degree of cybersecurity, but this section of the paper offers no specifics about the respective roles and responsibilities of OEMs and third-party servicers.
The paper concludes with three requests for stakeholder feedback. These are:
- Identification of the cybersecurity challenges and opportunities associated with servicing of medical devices;
- How third-party servicing entities can contribute to a more robust cybersecurity environment; and
- Whether the paper’s principal discussion points largely or entirely capture the appropriate range of considerations.
The FDA is accepting feedback through Aug. 17, 2021, and will convene a July 27 webinar regarding this discussion paper and the draft guidance for remanufacturing of medical devices, which we will review in a subsequent blog.