The agency foreshadowed the requirement for a bill of materials in its Medical Device Safety Action Plan, released in April 2018. In that document, the agency wrote that a bill of materials would help users "better manage their networked assets and be aware of which devices in their inventory or use may be subject to vulnerabilities."
Many in the industry have called for bills of materials for a long time.
"We don't necessarily have a secure supply chain in general," said David Ross, principal and cybersecurity growth leader for Baker Tilly's risk, internal audit and cybersecurity practice. "A bill of materials might help your staff when you're procuring these devices. You could do a risk assessment and quantify the overall risk from a cyber perspective for any given device."
The FDA's draft guidance for premarket submissions, released Wednesday, updates the FDA's 2014 final guidance. "The rapidly evolving landscape, and the increased understanding of the threats and their potential mitigations, necessitates an updated approach," according to the FDA.
Security risks have been increasing with the proliferation of the internet of things, as devices with network connections become more common. Organizations have boosted their IT budgets, with the average budget now at $30 million per year, according to the Ponemon Institute.
Overall, the agency seems to be focusing on controls more than processes, Ross said. That makes sense, given the FDA's position as a regulator. But it's important for hospitals and other organizations to pay attention to both controls and processes, he said.
In the new draft guidance, the agency distinguishes between two kinds of medical devices: those that connect to other devices or networks and that could lead to patient harm if hit by a cyberattack, and those that aren't connected to other devices or networks and don't pose similar risks.
The FDA recommends all devices require user authentication before device software or firmware can be updated. Device manufacturers should also include information about when they'll stop offering security patches and software updates with their products.
"If the device remains in service following the end of support, the cybersecurity risks for end-users can be expected to increase over time," the guidance said.
When in use, devices should be designed to reject connections that haven't been authorized by default. If an unauthorized USB drive is plugged into a device, the device should reject it automatically.
Device makers should also limit which users can access certain functions of the device by requiring authentication at certain points, according to the guidance. A provider might get different access privileges from a system administrator, for example. Such tiered access is a best practice in the commercial world, Ross said.
The FDA recommended other safeguards for devices once they're in use. Guided by NIST standards, the FDA recommended that devices be able to detect cyberattacks while in use and then notify users of the attacks.
The comment period on the draft guidance runs through March 18, 2019.