NCHR Comment on Management of Cybersecurity in Medical Devices

National Center for Health Research, March 18, 2019

National Center for Health Research Public Common on
Content of Premarket Submissions for Management of Cybersecurity in Medical Devices; Draft Guidance for Industry and Food and Drug Administration Staff; Availability

Thank you for the opportunity to provide our views on the draft guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.”

The National Center for Health Research is a nonprofit think tank that conducts, analyzes, and scrutinizes research, policies, and programs on a range of issues related to health and safety.  We do not accept funding from companies that make products that are the subject of our work.

We support FDA’s efforts to update their approach to address growing concerns about cybersecurity risks in medical devices through the premarket submission process.  Software and medical devices have become increasingly interconnected and vulnerable to network-related cybersecurity breaches, which puts patients at risk.  We have several concerns and recommendations to improve the updated guidance.

Justify the intended users, purpose, and value of the Cybersecurity Bill of Materials (CBOM).  The CBOM is defined as “including but not limited to a list of commercial, open source, and off-the-shelf software and hardware components to enable device users (including patients, providers, and healthcare delivery organizations)…to effectively manage their assets, to understand the potential impact of identified vulnerabilities to the device (and the connected system), and to deploy countermeasures to maintain the device’s essential performance.”  We agree that a CBOM that lists device hardware and software that could be vulnerable to cybersecurity breaches will be valuable going forward.  However, the guidance should also more clearly justify the CBOM intended users, purpose, and value:

  • How will the CBOM be helpful to the aforementioned users (particularly patients and providers) who may not have the required technical expertise to leverage this information to better manage their cybersecurity risks?
  • What are potential uses (and users) of the machine-readable format of the CBOM (described in Section B.1.g)? If this includes integration into FDA’s existing medical device databases or with ongoing (or planned) post-market surveillance initiatives, those should be mentioned.

 Explain how digital health cybersecurity that impacts medical devices will be addressed.  In the current document, one of the key criteria that places a medical device in the “higher cybersecurity risk” tier is its ability to connect with “another medical or non-medical product, or to a network, or to the Internet.”  However, many digital health technologies (e.g. clinical decision support, mobile apps, and electronic health records) are already capable of connecting and interacting with networks, as well as with other medical devices.  While recent legislation removed some digital health products from FDA regulatory oversight, cybersecurity attacks make no distinction between these different technologies, all of which play a potential role in patient care or clinical decision-making.1  As a result, guidance should explain how to handle cybersecurity attacks that target medical devices directly as well as indirectly through digital health technologies that could connect to these devices.  If the FDA plans to address digital health cybersecurity through the FDA Software Precertification program or other related initiatives, this should also be included in the guidance document.

Reinforce medical device cybersecurity without sacrificing usability.  The previous (2014) version of the draft guidance stated that “manufacturers should also carefully consider the balance between cybersecurity safeguards and the usability of the device in its intended environment of use,” yet the current draft completely removes the discussion of usability.  Cybersecurity and usability in medical devices are not mutually exclusive.  Indeed, poor product usability is a key problem in healthcare technology today, a source of frustration for healthcare providers, and also has important patient safety implications.2  We therefore strongly recommend reintroducing the usability discussion into the guidance document.



1         Ronquillo JG, Zuckerman DM.  Software-related recalls of health information technology and other medical devices: Implications for FDA regulation of digital health. Milbank Quarterly. 2017. 95:535–53.

2         Ratwani R, Benda N, Hettinger A, et al. Electronic health record vendor adherence to usability certification requirements and testing standards. JAMA. 2015. 314:1070–1.