U.S. Food and Drug Administration main campus building.

On Oct. 18, the U.S. Food and Drug Administration issued new draft recommendations for medical devices' cybersecurity designs that are intended to decrease the risk of device exploitability and patient risk. While many of these recommendations have likely been implemented by companies, there is concern the guidance could add more confusion than clarity for device makers.

The nonlegally binding suggestions are intended to serve as cybersecurity recommendations for premarket medical devices seeking approval from the FDA to enter the consumer market.

Manufactures, the FDA suggested, should use a risk-based approach when designing features and the level of cybersecurity resilience appropriate for a device.

The FDA, unlike the cybersecurity guidance it implemented in 2014, defines two tiers of devices according to their cybersecurity risk.

Tier 1 has a higher cybersecurity risk and includes devices capable of being connected, wirelessly or wired, to other medical or nonmedical products, network or the internet. The FDA further defined a Tier 1 device as one that, if breached or the victim of a cybersecurity incident,  could directly result in harm to multiple patients. The FDA included a non-exhaustive list of Tier 1 device examples that included pacemakers, brain stimulators and neurostimulators, dialysis devices and insulin pumps.

By contrast, Tier 2 devices are simply all other medical devices that don't meet Tier 1 criteria.

In the new draft, the FDA recommends premarket submissions for Tier 1 devices with high cybersecurity risk to include documentation demonstrating how the device's design and risk assessment incorporate cybersecurity design controls.

Those drafted recommendations include manufactures design devices that identify and protect its assets and functionality by preventing unauthorized use.

The FDA also advised companies ensure the confidentiality of data their devices process by deploying “cybersecurity routine updates and patches as well as emergency workarounds,” and  making sure such firmware/software updates are cryptographically verified.

Mark Melodia, a privacy, data security and consumer class action defense lawyer at Holland & Knight noted that the FDA's new draft recommendations included many agreed upon suggestions. For instance,  he said he observed clients that produce Tier 1 devices document their cybersecurity decision-making. 

 However, Melodia questioned if the drafted nonbinding recommendations would stay nonbinding.

“The first [issue] that industry always has when it's termed guidance or recommendation is, 'Is it really?' Is it really nonbinding recommendations or what is termed that now, is turned into something more specific, more binding and more onerous.” He said plaintiffs lawyers may twist regulatory recommendations into a “de facto requirement” and any failure to reach that standard may lead to legal action.

He also noted that the guidance could be viewed as suggesting rapid changes and patches aimed at cyber resilience, although a patient's experience includes not incurring many changes to their invasive medical devices.

“Some [medical devices] are implanted in people and is not as easy as updating your PC. We certainly don't want to be rushing out with changes and patches with an eye on cybersecurity and in any way threatening patient care,” he said.

Melodia cited the FDA's past 2014 recommendations and the lag time in companies developing R&D, obtaining FDA approval and bringing devices to the consumer market as factors that could cause uncertainty of what guidance a device is held to.

“By what era standard will these new products coming onto market be judged? Both the tools available and component parts are by definition a few years old by the time they reach the consumer and the medical community.”

The FDA is currently accepting comments and suggestions on its guidance. The public comment period is scheduled to end March 17, 2019.