Copy to clipboard 
The classic example of medical device cybersecurity in popular culture from 2012 was the fictional assassination of a Vice President by hackers who took over his pacemaker. As improbable as that might sound, it was only five years later that nearly half a million pacemakers were recalled in the U.S. to address just such a vulnerability. That 2017 recall brought sudden awareness of cybersecurity risks to the medical profession and the public at large.
In 2014 FDA issued a final guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” This brief document focused narrowly on the device design process, which is regulated by a single section of FDA’s Quality System Regulation (QSR), 21 CFR 820.30.
Even when the cybersecurity guidance discussed risk (the word most likely to follow “cybersecurity”), it was, according to 21 CFR 820.30(g) Design Validation, the only place in the QSR where risk is mentioned. (This is as opposed to the international equivalent of the QSR, ISO 13485:2016, which applies risk across the entire quality system.)
This design-centric approach was somewhat foreign to risk management in general and cybersecurity in particular. Cybersecurity, like all risks, should apply throughout a device’s entire lifecycle, but the 2014 final guidance mentions the device lifecycle only in the context of software updates and patches. (Even though a medical device with only a single LAN port and the most basic firmware, and with no updateable software, can still have cybersecurity vulnerabilities.)
From a Quality Assurance perspective, the 2014 final guidance fed cybersecurity into two or three SOPs: Design Control, certainly, and Risk Management, at least for device design. Companies with a separate SOP for Software Development had to apply cybersecurity there as well. But this was no great burden on QA, since many manufacturers already use outside expertise in the Design Reviews that twine those three processes.
In 2018, FDA issued a new draft of the 2014 guidance. The text expanded from 9 to 24 pages. There were extensive details for designing a trustworthy device, based on the Cybersecurity Framework from the National Institute of Standards and Technology (NIST). There was a new section about labeling for devices with cybersecurity risks. And there was a recommendation for a Cybersecurity Bill of Materials (CBOM), to help review software components for the cybersecurity risks that they might add to the mix.
But for all that, the 2018 draft guidance still focused on the design of the device being submitted to FDA for clearance or approval. The burden of cybersecurity vigilance still fell to the design team and risk management team (often the same personnel at a small company). From the perspective of the quality system, cybersecurity was (mostly) someone else’s problem.
In April 2022, FDA took a broader approach. A new draft guidance was issued, and the changed title said it all: “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” The new draft was twice as long as the 2018 draft; over five times as long as the original 2014 guidance. And just in case the document title wasn’t clear enough, Section A of the draft was: “Cybersecurity is Part of Device Safety and the Quality System Regulations.”
As the 2022 draft guidance states: “FDA recommends that device manufacturers implement comprehensive cybersecurity risk management programs and documentation consistent with the QSR, including but not limited to complaint handling (21 CFR 820.198), quality audit (21 CFR 820.22), corrective and preventive action (21 CFR 820.100), software validation and risk analysis (21 CFR 820.30(g)), and servicing (21 CFR 820.200).”
The draft goes on to cite production processes (21 CFR 820.70), purchasing controls (21 CFR 820.50), and the Design Master Record (21 CFR 820.181). Cybersecurity’s footprint in the quality system has gone from one section of the QSR to a minimum of eight.
Some of these quality processes are at least nominally involved in design control, such as the selection of suppliers under 21 CFR 820.50(a). Others, such as complaint handling under 21 CFR 820.198, don’t come into play until the design is complete and the device is on the market. When it comes to cybersecurity and the quality system, there is no longer any such thing as “someone else’s problem.”
In other words, FDA is now applying cybersecurity in the same way that ISO 13485:2016 applies risk; that is to say, across the entire quality system. In other words, just in time for FDA’s integration of ISO 13485:2016. As many of you know, in February 2022, FDA released a long-awaited proposed rule that would replace most of the QSR with content adapted from ISO 13485:2016, thus applying risk explicitly to multiple sections of the regulation.
In the 2022 draft guidance, FDA has abandoned its proposed Cybersecurity Bill of Materials (CBOM), falling back on the more industry-standard Software Bill of Materials (SBOM). At the same time, FDA has proposed that manufacturers implement a new Secure Product Development Framework (SPDF), “a set of processes that reduce the number and severity of vulnerabilities in products throughout the device lifecycle.” The SPDF would run in parallel with elements of the Software Development Life Cycle (SDLC), as established in the FDA-recognized consensus standard IEC 62304, as well as FDA’s own guidances for software development.
Industry has pushed back a little to FDA’s 2022 draft guidance, though not as much as it has to the integration of ISO 13485:2016. For example, for the proposed rule on ISO 13485, the Medical Device Manufacturers Association (MDMA) recommended to FDA that the proposed one-year timeline for implementation be extended to three years. On the other hand, for the 2022 cybersecurity draft guidance, MDMA’s response has been more nuanced, focusing more on the extent to which cybersecurity activities must be presented in the submission of 510(k)s.
But as Quality Assurance professionals know, reducing the extent of submission documentation does not ultimately reduce the burden on the quality system. Even though quality procedures are not submitted with a 510(k), FDA will inspect the manufacturer’s facility post-clearance, and then they will review all the quality procedures.
The question for Quality Assurance in all this is, when to get ready and implement cybersecurity across the entire quality system. The answer is, now and later. Now, to get ready, by studying the 2022 draft guidance, as well as the many standards and guidances that it references. For this purpose, the footnotes of the draft are a clear study guide, just as the text of the draft is a clear structure for building cybersecurity records. And then later, to update the quality system, after FDA issues the final guidance.
As we have seen, the cybersecurity guidance has already gone through two drafts since the previous final guidance was issued in 2014. When FDA performs an onsite inspection, they expect the quality system to comply with final guidances, unless the manufacturer has a very good justification for an alternate approach. FDA can point to draft guidances as a good basis for creating quality records, but does not require their implementation within quality procedures.
The application of cybersecurity “throughout the device lifecycle,” as described in the 2022 draft guidance, shows that FDA’s approach has matured to focus on security holistically. There is a shift happening in cybersecurity in the medical device space. FDA is recognizing the need to integrate security early in the device lifecycle, instead of trying to tie it in at the end of the design process. Building from the foundations is far better than building backwards, and quality systems will adapt to support this new approach.
