Cybersecurity - Draft guidances from FDA and Health Canada
The US FDA published in October 2018 a new draft version of its guidance on the content of premarket submissions for management of cybersecurity in medical devices. Two months later, Health Canada published in December 2018 a draft guidance document on pre-market requirements for medical device cybersecurity.
We are surrounded by draft guidances!
US FDA Draft Guidance
To refresh your memory, this guidance defines the documentation to compile about cybersecurity for a premarket submission. The new draft guidance brings three significant changes, compared to the previous guidance of 2014:
- The concept of trustworthy device,
- A categorization of software: tier 1 and tier 2,
- A list of recommended mitigation actions by design.
Like the previous approved version, this draft guidance relies on the NIST Cybersecurity Framework to manage cybersecurity:
- Identify, protect,
That's a good thing, as this framework is freely and globally available on the NIST website for all medical devices manufacturers around the world. Free documentation is a good option when you want to promote security and protection from criminal organizations!
Cybersecurity introduces lots of new concepts for people who never rubbed their skin to cybersecurity. To make a parallel with patient safety, the concept of trustworthy device (you will find the definition in the guidance) is equivalent to the concept of validated device in terms of safety and clinical performance.
If a device is clinically validated, you trust it for patient management. If a device is trustworthy in the meaning of this guidance, you trust it for cybersecurity protection.
Tier 1 and Tier 2 devices
The really good news is the introduction of a hint of explicit risk-based approach in this guidance. It defines two categories:
- Tier 1: Higher Cybersecurity Risk,
- Tier 2: Standard Cybersecurity Risk.
The level of evidence to bring to the FDA, to demonstrate that your device is a trustworthy one, is higher for tier 1 (full documentation) and lower for tier 2 (rationale-based partial documentation).
Thus, introducing cybersecurity risk assessment in your risk management process is a good idea.
List of recommended mitigation actions by design
The other good news is the clarification of FDA's expectations on design for cybersecurity. The guidance lists no less than 37 design measures for cybersecurity management. It is striking that these measures are numerous and precise. There is probably a will of the FDA to promote the design of secure devices by directly pointing to the relevant measures.
The drawback of this list is to limit or focus on a subset of measures, drawing the attention of the reader to these measures only. (I had to find a drawback, no ?)
It is also worth noting that most of the recommendations can be found in the UL 2900-1 standard (to be reviewed in a next post).
To end this quick tour of this guidance, just two remarks on labeling recommendations.
Information on cybersecurity have to be disclosed to end-users. This is a basic principle of cybersecurity management that you will find in other documents like ISO 2700X standard family. The FDA follows this principle in their labeling recommendations.
And I can't help but finish by this last comment on Cybersecurity Bill Of Material (CBOM). CBOM is the list of all off-the shelf software that are or could become susceptible of vulnerabilities. The CBOM shall be cross referenced with the National Vulnerability Database (NVD) or similar known vulnerability database.
Do you like IEC 62304 requirements on SOUP periodic review? Trust me, you are going to love CBOM - NVD cross-reference!!!
Health Canada FDA Draft Guidance
Like the US FDA guidance, this guidance gives recommendations on documentation to provide with medical device licence submission.
The guidance recognizes that a cybersecurity strategy shall be defined for devices incorporating software, from class I to class IV. This strategy should include:
- Secure design
- Risk management
- Verification and validation testing
- Planning for continued monitoring of and response to emerging risks and threats
Unlike the US FDA Tier 1 and 2 categories, the full Canadian guidance is applicable to all regulatory classes. however, the documentation is only reviewed by Health Canada for class III and class IV medical device licence applications. Class I a simple registration, and class II doesn't require to submit the design dossier.
NIST Cybersecurity Framework
Like the US FDA guidance, the Canadian guidance relies on the NIST framework for cybersecurity management. Yes, you read it right, Canada references a document available on nist.gov website.
Like the US FDA guidance, the Canadian one gives a list of design measures to envision: no less than 17 measures are found in tables 1 and 3. It is worth noting that some of these measures come from UL 2900-1, referenced by the guidance.
Safety risk vs security risk
This draft guidance references AAMI TIR 57. It also contains screen shots (figure 2) of AAMI TIR 57 on the relationship between safety risk management and cybersecurity risk management.
The table 2 gives Examples of the relationship between cybersecurity risk management and patient safety management. Beware if you read this table: you have to understand that each line is a chunk of a risk management process. E.g. the line Security risk with a safety impact contains Not applicable for Security Control, hence the line focusses on the risk, not the control.
Medical Device Licence Application
All in all, the main goal of this guidance is to give recommendations on the content of a medical device licence application for class III and IV devices, also applicable to class II and class I design files. It embraces the state-of-the-art in this discipline and defines how it should be documented.
UL 2900-1 and AAMI TIR 57
On the normative side, the Canadian guidance references a few standards and guidances. We find AAMI TIR 57. It gives very good hints on the relationship between security risk and safety risk management.
We have also UL 2900-1, the one and only standard addressing cybersecurity in medical devices design, up to now. UL 2900-1 overlaps partially with the two draft guidances. All design measures found in the guidances are found in UL 2900-1. Thus UL 2900-1 sets a common ground for the design on medical devices.
We will see that in the next post.
BTW, IEC 62304 and ISO 14971 are also referenced. Like everyday life!
North American agencies are strengthening their expectations on cybersecurity in regulatory submissions. Health Canada is the newcomer, with their guidance copyright Her Majesty the Queen in Right of Canada. (Who is also Her Majesty the Queen of the UK!).
Hey European Commission, where is your guidance to answer to General Requirements #17 and #23.ab in Annex 1 of regulation 2017/745/UE?