Listen to this article

Global data breaches are on the rise, potentially impacting thousands of companies and tens of millions of people each year. The health care and life sciences industries are no exception, and protection of personal information is tantamount.

Over the past three years, the number of data incidents and breaches in health care have increased threefold. In 2021 alone, nearly 50 million people in the U.S. had their sensitive health data breached. PwC’s 2022 Global Economic Crime and Fraud Survey states that cybercrime accounts for 40% of all fraud experienced by the health care industry. According to U.S. Department of Health & Human Services Data Breach Reports, hacking/IT incidents are the leading cause of data health care breaches—far and above those caused by unauthorized access and loss or theft of protected health information or theft of unencrypted ePHI.

The life sciences and health care industries are a primary target for data incidents and cybercrime for several reasons. First, health care information is particularly valuable to hackers, who can sell the data on the dark web or fraudulently use it to file false medical claims or steal identities. Second, the industry is a more lucrative target for ransomware attacks (the theft of data held for ransom) because the loss of patient information could mean the life of a patient. The significance of patient data leaves health care entities in a more urgent position and more likely than other industries to pay ransom fees to reobtain stolen data. Similarly, pharmaceutical and medical device companies are a target for cyber criminals based on the value of proprietary data and intellectual property.

These incidents and breaches are particularly expensive for health care organizations. One of the most comprehensive reports on the cost of data breaches found that those have had the highest industry damages for 11 consecutive years, with each individual breach costing health care organizations an average of $9.23 million in 2021. Pharmaceutical trails closely behind, with data breaches costing an average of $5.04 million.

The increasing prevalence and cost of cybercrime and data incidents are being analyzed by the U.S. Food and Drug Administration with regard to the development of cybersecurity in medical devices, which is governed by a premarket guidance drafted in 2013 and issued by the FDA in 2014.

On April 7, 2022, the FDA issued a new draft guidance (“Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions”), which would replace a 2018 draft that was never finalized as well as the 2014 guidance.

The new cyber guidance covers both quality system considerations and the content of premarket submissions, whereas the 2014 guidance focused mainly on premarket submissions.  Although the 2018 guidance was praised by sponsors, medical associations, and others for attempting to provide a more iterative approach to managing cybersecurity, several comment submissions sought significant additional modifications and clarifications. However, data incidents and cybersecurity are rapidly evolving, and the FDA was still building out its cybersecurity section at this time (and in 2016, the FDA issued a companion post-market cybersecurity guidance, which is still in effect).

Ultimately, instead of trying to change the 2018 draft, regulators decided it was better to develop an entirely new guidance.

The FDA states this new guidance “emphasize[s] the importance of [designing] medical devices with additional securities” that are baked in so “cybersecurity risks can be mitigated throughout the total product lifecycle (TPLC).” The new guidance also contains an important acknowledgment that cybersecurity is part of device safety and quality system regulations and states that manufacturers must establish procedures to develop and validate device designs. Relatedly, the FDA focuses on the ability of a secure product development framework to satisfy device safety and QSR. The FDA defines SPDF as “a set of processes that reduce the number and severity of vulnerabilities in products throughout the device lifecycle.”

The guidance is consistent with H.R. 7084, a bill introduced in Congress in March 2022, that proposes cybersecurity monitoring throughout the total life of medical device products. The legislation would enhance medical device security by requiring that manufacturers create a plan to monitor and address post-market cyber exploits and more; a similar bill was also introduced in the Senate. Additionally, the measure would increase the FDA’s budget for regulating and managing cybersecurity.

The 2022 guidance addresses software, firmware and programmable logic. However, the FDA provides much more clarification and detail about what it expects for premarket submissions and proposes dozens of new recommendations. Generally, the changes suggested in the 2022 guidance fall into one of three categories: Expanding on labeling and other information transparency requirements; expanding on the premarket information the FDA expects to be available in a submission; and promoting a total product lifecycle approach—developing products so that cybersecurity risks can be mitigated throughout the life of the product, whether in premarket or post-market phase.

Transparency

The FDA asks for considerably more in terms of labeling medical devices, especially where cybersecurity risk management is transferred to the user. Part VI (A) of the draft provides the list of “labeling requirements.” Of the 15 requirements, only the recommendation for “cybersecurity controls such as antimalware, firewall, and password requirements” was present in 2014. Some new labeling requirements include:

• Diagrams that allow cybersecurity controls to be implemented;
• Procedures for users to download software, and how users will know when updates are available;
• Description of backup and restore features;
• Where appropriate, how forensic evidence is captured, and where log files are located, stored, recycled, or archived.

The FDA also asks manufacturers for more technical information, such as manuals, so users can quickly identify and patch issues. The focus on data controls and user instructions may help companies respond to data breaches more quickly or prevent them altogether. Twenty percent of data breaches are caused by compromised credentials.

One area of the 2022 guidance that is likely to be received well by the industry is that there is no requirement to categorize medical devices into “risk tiers.” In 2018, the FDA suggested manufacturers categorize their products into two risk tiers, based on whether the device could be connected to other devices or if a cyber breach could result in harm to multiple patients. Many saw this requirement as confusing and questioned the FDA’s authority to create it. Medical devices are already subject to a three-tier general risk classification scheme under federal law.

Despite no additional risk tier categorization requirement, overall, the FDA proposes significant new expectations for premarket submissions, including security risk assessments for known vulnerabilities, security risk management plans, security risk reporting plans, and much more.

TPLC approach

Although TPLC was mentioned in the 2014 guidance, the FDA provided little to no detail to clarify its expectations around the approach. In the update, the agency provides clarity for those earlier recommendations and makes new ones.

The FDA clarifies that threat modeling should be used to identify security objectives, risks, vulnerabilities and countermeasures. Threat modeling should be performed throughout the design process and should capture risks both inherent to the product and those introduced via outside sources, such as in the supply chain, connecting with other devices or maintenance/updates.

Cybersecurity should continue to be assessed throughout the TPLC. For example, manufacturers should keep track of the percentage of identified vulnerabilities that are able to be updated/patched, the time it takes from identification of a vulnerability to update/patch, and more.

And cybersecurity testing should be performed at regular intervals (annually).

Requiring manufacturers to develop strategies for tracking update/patch success rates and time from identification of vulnerability to updates/patches is particularly important. The 2021 IBM Report found that breaches are taking longer to identify than in prior years. Last year, it took an average of 287 days to identify a breach. And those that take longer than 200 days to identify cost companies significantly more, $4.87 million as opposed to $3.61 million. Other reports, such as a recent BAH Ransomware Study, have found that companies might not be as prepared as they thought they were to respond to cyberattacks – many have cyberattack plans, but there are gaps. Being clear about objectives on recovery times, regular data integrity and recovery testing, could help companies identify vulnerabilities sooner.

Significantly, the FDA would also require manufacturers to document all software components of a device. The FDA recommends doing this with a software bill of materials (SBOM) instead of a cybersecurity bill of materials (CBOM), which it initially proposed in 2018. An SBOM is likely to be more acceptable to industry members because it is less onerous than a CBOM. SBOMs require manufacturers to list out all the components of their software (whether owned, licensed or open, or developed by the manufacturer or a third party). A CBOM would require this for both software and hardware (the visible components of a system, such as keyboard, mouse, etc.). The suggestion for a CBOM generated concern because of the arduous task of listing ever-changing hardware components (think date lot codes), with minimal to no utility to cybersecurity. Additionally, as commentors pointed out – the 2016 post-market guidance on cybersecurity requires SBOMs rather than CBOMs. Moreover, the SBOM requirement is arguably more in line with the president’s Executive Order 14028, requiring SBOMs for software devices.

Next steps

In the FDA’s view, this more detailed guidance would help companies align their design control processes to evaluate software security risk and promote cybersecurity management through the TPLC.

Comments to the draft closed July 7. Based on the longstanding need for an update and increasing risk of cybersecurity threats to medical devices this guidance is an important step in helping mitigate cybersecurity threats in health care. The FDA has acknowledged that cybersecurity “threats and vulnerabilities cannot be eliminated” and reducing cyber threats is “especially challenging” in the “health care environment.” Doing so requires teamwork across industries – in their words “manufactures, hospitals, and facilities must work together to manage cybersecurity risks.”

Mary Hershewe is a product liability and mass torts attorney at Faegre Drinker. Michael Zogby is a partner at Faegre Drinker and deputy leader of the product liability and mass torts practice group and co-chair of the firm’s health & life sciences litigation team. The authors would like to thank Interning Associate Summer Elliot for their help in drafting this article.