The FDA's overwrite of a 2014 guidance on premarket requirements for device cybersecurity came with a 150-day comment period, long enough for stakeholders to register a few complaints with the document. One of the common criticisms of the draft is its use of a two-tiered device risk system that runs independently of the inherent risk of the underlying device, a feature that drew substantial blowback from several stakeholders, including the Connected Health Initiative (CHI) and the Advanced Medical Technology Association (Advamed).

The reissued draft guidance was accompanied by a notice of a two-day workshop on cybersecurity, and included a number of more or less novel features, including a requirement for a cybersecurity bill of materials (CBOM) in premarket applications. The agency introduced a regulatory concept in the draft, that of "higher cybersecurity risk," which generally entails the ability to connect with other devices or with internet access systems, but the draft also called for differing standards for demonstration of adequate cybersecurity protections based on the ability to connect with other devices or equipment. (See BioWorld MedTech, Oct. 18, 2018.)

Brian Scarpelli, senior global policy counsel for the D.C.-based CHI, said the two-tiered approach to risk "would introduce uncertainty for cutting-edge medical devices" thanks to the conflict with the single risk framework used in the FDA's December 2016 cybersecurity guidance for postmarket considerations. Scarpelli urged the agency to abandon the two-tier approach in order to avoid conflicting with the postmarket guidance.

Scarpelli said CHI is in concordance with the concept of a CBOM, but noted that the phrase "software bill of materials" (SBOM) is already in common parlance, recommending the agency switch to SBOM. However, CHI's view is that whichever phrase and acronym are used, the agency should make clear that such documentation "need not contain proprietary information," such as source code. Scarpelli noted that the FDA might provide more detail as to what sort of development would rate mention in an SBOM/CBOM update, but recommended the FDA allow the National Telecommunications and Information Administration to complete its work on software transparency before moving forward on the draft's disclosure requirement.

MITA questions status of legacy device systems

Writing on behalf of the Medical Imaging & Technology Alliance (MITA), executive director Patrick Hope said the draft was not clear on how the terms of the associated requirements would apply to legacy products, recommending that the terms not be applied retroactively.

Hope said the two tiers of cybersecurity risk lack clarity, posing the question of how the agency would distinguish between an incident that could directly result in patient harm to multiple patients from one that does not present such a risk. He pointed out that a security incident for a single cardiac electrophysiology device might present a risk to only the patient in whom the device was implanted, while a vulnerability inherent to an entire line of such devices could affect multiple patients.

The discussion of CBOMs is also problematic, Hope said, because it does not stipulate whether the scope of such a document is limited to known vulnerabilities. MITA, too, Hope said, recommended the agency default to the SBOM language, due to the established acceptance of the term and acronym, but also because the term is "a more accurate indication of what is required to assess cybersecurity."

The draft is overly prescriptive in some regards, Hope said, citing language he said seems to dictate how a control should be implemented rather than what the objective of a control ought to be. He said an emphasis on objectives rather than on the means for attaining those objectives would align the draft with "other globally recognized cybersecurity frameworks and standards."

Zachary Rothstein of Advamed also found fault with the two-tier risk framework in the draft guidance, stating that such an approach is "confusing and unnecessary given its superficial similarity to FDA's risk classification scheme for medical devices." Rothstein noted that small implanted medical devices, such as implantable defibrillators and pacemakers, are subject to more engineering constraints than devices used in hospital settings. Ergo, he said, the recommended cybersecurity controls should take such differences into account, recommending an approach based on exploitability and the severity of harm should that vulnerability be exploited.

As with the others stakeholders, Advamed urged the agency to default to the SBOM approach in lieu of CBOMs, adding that an SBOM might be defined as a list of off-the-shelf or open-source components that are included in a device, although that information would be limited to the software version and build number. Rothstein said that a bill of materials that includes hardware presents challenges that are not encountered in software bills of materials, including that hardware components may feature subcomponents that are not readily identifiable from the supplier.

Requiring itemization of such information "will very likely work against the shared goal to prioritize, prevent and react to cybersecurity risks," Rothstein said, adding that the SBOM effort, which MITA is piloting, does not include a provision for hardware. He said that the inclusion of hardware might eventually prove useful, but that such a requirement at present may prove unwieldy.

Rothstein also raised the question of the frequency of updates to the bill of materials, noting that health care organizations will need an "orderly process" for updating bills of materials. He said the device maker is not always in control of the timing of those updates, such as updates provided by third-party software used in a device. Advamed was also concerned about the potential retroactivity of the guidance once it appears in final form, adding that devices that are in development should not be held up by the requirements of the guidance. Rothstein also recommended that the final guidance be followed by a phase-in period of two years.