AGENCY:

Food and Drug Administration, HHS.

ACTION:

Notice of availability.

SUMMARY:

The Food and Drug Administration (FDA or Agency) is announcing the availability of the draft guidance entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” As more medical devices are becoming interconnected, cybersecurity threats have become more numerous, more frequent, more severe, and more clinically impactful. There is a need to provide manufacturers with specific technical recommendations (e.g., appropriate threat modeling and other premarket testing) to help ensure device cybersecurity. The updates to the existing “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” guidance is anticipated to better protect against risks, such as ransomware campaigns, that could disrupt clinical operations and delay patient care and risks, such as exploiting a vulnerability that enables attacks on multiple patients. This draft guidance is not final nor is it in effect at this time.

DATES:

Submit either electronic or written comments on the draft guidance by March 18, 2019 to ensure that the Agency considers your comment on this draft guidance before it begins work on the final version of the guidance.

ADDRESSES:

You may submit comments on any guidance at any time as follows:

Electronic Submissions

Submit electronic comments in the following way:

• Federal eRulemaking Portal: https://www.regulations.gov. Follow the instructions for submitting comments. Comments submitted electronically, including attachments, to https://www.regulations.gov will be posted to the docket unchanged. Because your comment will be made public, you are solely responsible for ensuring that your comment does not include any confidential information that you or a third party may not wish to be posted, such as medical information, your or anyone else's Social Security number, or confidential business information, such as a manufacturing process. Please note that if you include your name, contact information, or other information that identifies you in the body of your comments, that information will be posted on https://www.regulations.gov.
• If you want to submit a comment with confidential information that you do not wish to be made available to the public, submit the comment as a written/paper submission and in the manner detailed (see “Written/Paper Submissions” and “Instructions”).

Written/Paper Submissions

Submit written/paper submissions as follows:

• Mail/Hand delivery/Courier (for written/paper submissions): Dockets Management Staff (HFA-305), Food and Drug Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.
• For written/paper comments submitted to the Dockets Management Staff, FDA will post your comment, as Start Printed Page 52836well as any attachments, except for information submitted, marked and identified, as confidential, if submitted as detailed in “Instructions.”

Instructions: All submissions received must include the Docket No. FDA-2018-D-3443 for “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” Received comments will be placed in the docket and, except for those submitted as “Confidential Submissions,” publicly viewable at https://www.regulations.gov or at the Dockets Management Staff between 9 a.m. and 4 p.m., Monday through Friday.

• Confidential Submissions—To submit a comment with confidential information that you do not wish to be made publicly available, submit your comments only as a written/paper submission. You should submit two copies total. One copy will include the information you claim to be confidential with a heading or cover note that states “THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION.” The Agency will review this copy, including the claimed confidential information, in its consideration of comments. The second copy, which will have the claimed confidential information redacted/blacked out, will be available for public viewing and posted on https://www.regulations.gov. Submit both copies to the Dockets Management Staff. If you do not wish your name and contact information to be made publicly available, you can provide this information on the cover sheet and not in the body of your comments and you must identify this information as “confidential.” Any information marked as “confidential” will not be disclosed except in accordance with 21 CFR 10.20 and other applicable disclosure law. For more information about FDA's posting of comments to public dockets, see 80 FR 56469, September 18, 2015, or access the information at: https://www.gpo.gov/​fdsys/​pkg/​FR-2015-09-18/​pdf/​2015-23389.pdf.

Docket: For access to the docket to read background documents or the electronic and written/paper comments received, go to https://www.regulations.gov and insert the docket number, found in brackets in the heading of this document, into the “Search” box and follow the prompts and/or go to the Dockets Management Staff, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.

You may submit comments on any guidance at any time (see 21 CFR 10.115(g)(5)).

An electronic copy of the guidance document is available for download from the internet. See the SUPPLEMENTARY INFORMATION section for information on electronic access to the guidance. Submit written requests for a single hard copy of the draft guidance document entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” to the Office of the Center Director, Guidance and Policy Development, Center for Devices and Radiological Health, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 66, Rm. 5431, Silver Spring, MD 20993-0002 or the Office of Communication, Outreach, and Development, Center for Biologics Evaluation and Research, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 71, Rm. 3128, Silver Spring, MD 20993-0002. Send one self-addressed adhesive label to assist that office in processing your request.

FOR FURTHER INFORMATION CONTACT:

Suzanne Schwartz, Center for Devices and Radiological Health, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 66, Rm. 5434, Silver Spring, MD 20993-0002, 301-796-6937, or Stephen Ripley, Center for Biologics Evaluation and Research, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 71, Rm. 7301, Silver Spring, MD 20993, 240-402-7911.

SUPPLEMENTARY INFORMATION:

I. Background

The need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, internet- and network-connected devices, and the frequent electronic exchange of medical device-related health information. In addition, cybersecurity threats to the healthcare sector have become more frequent, more severe, and more clinically impactful. Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the United States and globally. Such cyberattacks and exploits can delay diagnoses and/or treatment and may lead to patient harm.

Although FDA issued guidance addressing recommendations for device cybersecurity information in premarket submissions in 2014, ^[1] the rapidly evolving landscape, and the increased understanding of the threats and their potential mitigations necessitates an updated approach. This draft guidance is intended to provide recommendations to industry regarding cybersecurity device design, labeling, and the documentation that FDA recommends be included in premarket submissions for devices with cybersecurity risk. These recommendations can facilitate an efficient premarket review process and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats.

FDA plans to hold a public workshop on January 29th and January 30th, 2019.^[2] FDA seeks to bring together diverse stakeholders to discuss, in-depth, the draft guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” and the subtopic of the draft guidance regarding a Cybersecurity Bill of Materials (CBOM), which can be a critical element in identifying assets, threats, and vulnerabilities.

II. Significance of Guidance

This draft guidance is being issued consistent with FDA's good guidance practices regulation (21 CFR 10.115). The draft guidance, when finalized, will represent the current thinking of FDA on Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. It does not establish any rights for any person and is not binding on FDA or the public. You can use an alternative approach if it satisfies the requirements of the applicable statutes and regulations. This guidance is not subject to Executive Order 12866.

III. Electronic Access

Persons interested in obtaining a copy of the draft guidance may do so by downloading an electronic copy from the internet. A search capability for all Center for Devices and Radiological Health guidance documents is available at https://www.fda.gov/​MedicalDevices/​DeviceRegulationandGuidance/​GuidanceDocuments/​default.htm. This guidance document is also available at https://www.regulations.gov or https://www.fda.gov/​BiologicsBloodVaccines/​GuidanceComplianceRegulatoryInformation/​default.htm. Persons unable to download an electronic copy of “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” may send an email request to CDRH-Guidance@fda.hhs.gov to receive an electronic copy of the document. Please use the document Start Printed Page 52837number 1825 to identify the guidance you are requesting.

IV. Paperwork Reduction Act of 1995

This draft guidance refers to previously approved collections of information. These collections of information are subject to review by the Office of Management and Budget (OMB) under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501-3520). The collections of information in the following FDA regulations and guidance have been approved by OMB as listed in the following table:

V. Other Issues for Consideration

The Agency invites comments on the “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” draft guidance, in general, and on the following topics, in particular:

• Definition of CBOM:

○ Whether a CBOM should include both software and hardware components

• Type of information and level of detail that should be included in a CBOM
• Effective mechanisms for sharing CBOM information
• Format the CBOM should take:

○ Available formats that could be leveraged

○ Whether multiple formats would be able to co-exist

• Appropriate frequency for updating the CBOM
• Features of a CBOM that would make it automatically consumable

Footnotes