background image for GxP Lifeline
GxP Lifeline

FDA’s Newest Medical Device Security Guidance


2021-bl-matt-lowe_715x320

As medical devices have grown increasingly complex, so have the regulations surrounding them. This is understandable when you consider the risks posed with software and connected devices. While the U.S. Food and Drug Administration (FDA) has released guidance in the past about security in medical devices, the pace of technology warrants more frequent guidance documents. The latest FDA cybersecurity guidance to be released is still in the draft stage, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.”1

Software Bill of Materials (SBOM)

As I recently mentioned in another post,2 the idea of a software bill of materials (SBOM) is nothing new. And, as expected, it’s becoming less of a regulatory “nice to have” and more of a requirement. This latest guidance document ties an SBOM to the requirements in 21 CFR 820. The guidance states “all software … should be assessed for cybersecurity risk and that risk should be addressed. Accordingly, device manufacturers are expected to document all software components of a device.”3

The SBOM is still not required, but it’s noted as a possible way to fulfill this requirement. The SBOM lists all software components and aids in medical device cybersecurity risk management by helping identify devices affected by software vulnerabilities. The agency is recommending an SBOM be included in a device’s premarket submission and lists in the guidance the documentation that should be included.

Secure by Design

Quality by Design is the idea of building quality into a product from the beginning. Secure by design follows the same basic concept. The FDA cybersecurity guidance is encouraging manufacturers to build cybersecurity into a device from the beginning of the product development rather than only considering it after the product is finished. This approach should make it easier to follow this and any future guidance documents if medical device manufacturers show that cybersecurity is top of mind for them.

AI/Ml-Enabled SaMD

For those who would like further clarification on the guidance, the FDA hosted a webinar with a presentation followed by a Q&A.4 During that Q&A one of the attendees brought up the question of software as a medical device (SaMD) that uses artificial intelligence (AI) and/or machine learning (ML). SaMD is still a medical device, so medical device cybersecurity risk management is still a concern and this guidance definitely still applies. The answer from the FDA official was to focus on the objectives of the guidance.

AI/ML-enabled SaMD will require different applications of these principles. The integrity of the algorithms should be a point of focus and where the algorithm is housed will change how companies apply this guidance. The example given by the FDA official was that applying this guidance for AI/ML in the cloud will look different from AI/ML that’s part of a medical device. It is interesting to note that, while AI/ML is becoming more common in medical devices, the FDA cybersecurity guidance itself does not mention it.

Conclusion

The more connected medical devices become, the more cybersecurity risk they present. The FDA and other regulatory bodies are trying to help medical device companies stay ahead of hackers and help keep patients safe. Having to deal with third-party providers and devices that are even more complicated due to AI/ML present their own unique challenges. By following industry best practice and this guidance, manufacturers can improve their medical device cybersecurity risk management and ensure safe devices for patients.


References:


2016-nl-bl-author-matt-lowe

Matt Lowe has served MasterControl for nearly two decades across several different executive leadership roles including product, engineering, sales, and marketing, and now will continue his tenure as Chief Strategy Officer. In this role, Lowe brings vast institutional knowledge of the market, MasterControl’s products, and customers to identify growth strategies and expansion opportunities for the company. He also serves on the MasterControl Board of Directors.

Lowe is a medical device expert with experience in product development and product management at Ortho Development Corp. and Bard Access Systems, a subsidiary of BD. Lowe has successfully launched more than a dozen medical devices. He has five patents issued and one pending. His regulatory experience includes writing a 510(k) that was cleared by the FDA and managing a multi-site, multi-year post-market clinical study for orthopaedic devices.

Lowe has a bachelor's degree in mechanical engineering from the University of Utah and an MBA from Indiana University.


[ { "key": "fid#1", "value": ["GxP Lifeline Blog"] } ]