FDA’s Refuse-to-Accept Guidance for Cybersecurity Raises the Stakes

April 20, 2023

The FDA has published a guidance describing the agency’s new refuse-to-accept (RTA) approach to cybersecurity in medical devices. This short, 6-page guidance casts a long shadow across the medical device landscape. The guidance states that the agency will reject an application that fails to provide adequate cybersecurity measures in premarket applications — just one of several recent developments that show just how serious the U.S. federal government is about cybersecurity.

The FDA did not arrive at this point without prompting. The guidance was mandated by Section 3305 of the Consolidated Appropriations Act, which passed at the end of 2022. In addition, cybersecurity has become more intensely scrutinized in recent years, so much so that the White House outlined a National Cybersecurity Strategy in March. The FDA’s guidance is immediately in effect as of March 29, but the agency stated that it will exercise discretion on its use of the RTA authority until October 1, giving developers 6 months to bring their cybersecurity measures into compliance.

Guidance Introduces the Cyber Device

The guidance was issued by the Center for Devices and Radiological Health and the Center for Biologics Evaluation and Research, but it is important to bear in mind that digital health products used in conjunction with drugs regulated by the Center for Drug Evaluation and Research are also likely within the scope of the guidance. While the guidance does not mention combination products, the terms of the guidance apply to a cyber device, which is any device that:

  • Includes software that is validated, installed, or authorized by the sponsor as a device or is embedded in a device;
  • Can connect to the internet; and
  • Contains any technological characteristics that could be vulnerable to cybersecurity threats.

The sweep of this guidance is extensive given that something as seemingly innocuous as software modules that govern TCP/IP protocols are subject. The FDA issued an alert regarding such problems in the past, and it seems unlikely that the agency’s attention to this kind of detail will ease in the near term.

FDA Resurrects the Draft Guidance Limbo Problem

This guidance interacts directly with at least 5 other FDA guidances, a list that includes the RTA policy for 510(k)s and the acceptance guidances for PMA and De Novo submissions. Of more immediate interest may be the FDA’s draft guidance for premarket submissions and the final guidance for postmarket management of cybersecurity. The premarket submissions draft presents developers with an awkward compliance problem because it was issued more than a year ago, and there is standing tension over whether the agency’s reviewers are invoking a draft guidance.

This tension is especially difficult to navigate when it comes to premarket cybersecurity because the previous final guidance was released in 2014, and the agency acknowledged that it had withdrawn the 2018 draft due to the emergence of novel threats between 2018 and 2022. Hence, we urge our clients to be mindful of the 2022 draft, as it more closely represents the agency’s thinking on premarket considerations than any other available declaration. The draft includes language on testing for vulnerability and penetration, both of which are fast-moving areas of threat, particularly now that artificial intelligence (AI) toolkits are becoming increasingly available to hackers.

Secure Product Development Framework a Means of QSR Compliance

The cybersecurity premarket draft suggests that developers manage total product life cycle (TPLC) considerations for cybersecurity via a Secure Product Development Framework (SPDF), which may be used to satisfy the requirements of the Quality System Regulation (QSR). An SPDF is described as a set of processes that can aid in reducing both the number and the severity of vulnerabilities across the TPLC. Healthcare facilities can use the Critical Infrastructure Cybersecurity model by the National Institute of Standards and Technology, but for everyone else, an SPDF would consist of three components: security risk management, security architecture, and cybersecurity transparency.

The SPDF section on risk management reiterates the FDA’s standing position that cybersecurity threats do not occur in a probabilistic manner and that ISO 14971 is thus of little help in anticipating risk. Overall, the components of this section take up matters such as:

  • Threat modeling;
  • Third-party software components;
  • Assessment of unresolved anomalies;
  • Risk management documentation; and
  • TPLC risk management.

While the FDA’s guidance for postmarket cybersecurity management is not immediately relevant to the cybersecurity RTA guidance, it is important to note that the postmarket guidance is perhaps a little dated, given that it bears a publication date of December 2016. For now, it stands as the guidance of name, but the prospect of cyberthreat drift suggests that compliance with this guidance is a bare minimum standard for the management of cyberthreats in the postmarket environment.

The scope of the postmarket guidance is already obsolete by the terms of the cybersecurity RTA guidance, as the postmarket guidance omits any direct mention of any device that can connect to the Internet. While the FDA goes out of its way to assert that cybersecurity is a responsibility shared by developers/manufacturers and healthcare facilities, we would hasten to point out that the FDA will not issue a warning letter to a healthcare facility for failing to uphold its end of the cybersecurity bargain.

Software developers may find the list of relevant guidances to already be lengthy and borderline unmanageable, a problem that may be vastly amplified when the software is in part an algorithm for AI and AI’s rapidly growing machine learning (ML) subset. We recently explained the FDA’s draft guidance for predetermined change control protocols, but there is relatively little experience in how AI and ML products may be susceptible to novel forms of cyberthreats.

If ever there was a time to take cybersecurity lightly, this is not that time.

Thus, developers are dealing with a vast amount of regulatory uncertainty, but again, we emphasize that the FDA is quite serious about cybersecurity. This is not just because the Biden administration has staked out a wide swath of policy territory about cybersecurity, but also because Congress saw fit to allow the FDA to mandate cybersecurity provisions in both its premarket reviews and its postmarket surveillance.

Additionally, the Federal Trade Commission has its own independent authority to enforce rules for health information breaches, and it is not implausible that litigation related to cybersecurity lapses could ensue under product liability law or the False Claims Act. If ever there was a time to take cybersecurity lightly, this is not that time.