FDA Wants Medical Devices to Have Mandatory Built-In Update Mechanisms

The US Food & Drug Administration plans to ask Congress for more funding and regulatory powers to improve its approach towards medical device safety, including on the cybersecurity front.

An FDA document released this week reveals several of the FDA's plans, including the desire to force device makers to include mandatory update systems inside products for the purpose of delivering critical security patches.

Medical devices to come with a "Software Bill of Materials"

In addition, the FDA also plans to force device makers to create a document called "Software Bill of Materials" that will be provided for each medical device and will include software-related details for each product.

Hospitals, healthcare units, contractors, or users will be able to consult the medical device's bill of materials and determine how it functions, what software is needed for what feature, and what technologies are used in each device.

The idea is to help device owners "better manage their networked assets and be aware of which devices in their inventory or use may be subject to vulnerabilities."

Further, the FDA also wants to "update the premarket guidance on medical device cybersecurity to better protect against moderate risks (such as ransomware campaigns that could disrupt clinical operations and delay patient care) and major risks (such as exploiting a vulnerability that enables a remote, multi-patient, catastrophic attack)." This guidance will most likely be added to the FDA's existing cybersecurity guidelines and recommendations.

FDA plans new entity —a mix between CERT and the NTSB

Last but not least, the FDA wants to create a new entity called the CyberMed Safety (Expert) Analysis Board (CYMSAB) that will be a public-private partnership.

CYMSAB's primary role would be to assess, assist, and adjudicate coordinated vulnerability disclosures in medical devices, a process known to get rocky sometimes, mainly due to thorny or hard-to-reach vendors.

CYMSAB may also serve as "a 'go-team' that could be deployed in the field to investigate a suspected or confirmed device compromise at a manufacturer’s or FDA’s request."

This description makes it look like CYMSAB will investigate cybersecurity issues for the FDA, similarly to how the National Transportation Safety Board (NTSB) investigates aviation accidents for the US Department of Transportation.