NIST-Proposed Cybersecurity Guidance & Its Potential Impact to MedTech

Whoever we are, whatever we do for a living, we’re all engaged with software. As developers, regulators or just users of software products, it’s important that we have an understanding of what goes into making software – and which government bodies oversee different software industries. This is especially true when one federal organization is poised to make decisions that will likely have a ripple effect on our work.

For those of you who are in the medical device arena like myself, the FDA is the main governing body that oversees our work. But they are not the only ones. The National Institute of Standards and Technology (NIST) has the overall responsibility for compliance to the Executive Order 14028. They will oversee cybersecurity compliance for commercial technologies and off-the-shelf software – products that the MedTech industry uses in our digital health solutions. What they establish will likely be an input for the FDA’s industry-specific guidance, so it’s our responsibility to know what NIST is working on and to prepare for the changes to come.

Last year, NIST’s Information Technology Lab Cybersecurity for IoT Program published multiple white papers, reports and drafts on the subject of cybersecurity labeling of consumer Internet of Things (IoT) products and consumer software products. The first of these publications, “Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products,” was published in February 2022. It introduces the challenge set before NIST and establishes their strategy for addressing that challenge. Although it’s billed as a “recommendation,” there is a confusing amount of “shall” and “should” in here.

The document features real-world examples of product vulnerabilities and of proposed baseline information needed to support cybersecurity. I found it interesting that risk tailoring and tiering considerations were included, when consumer products are generally low-risk. It’s unclear to me whether NIST’s expectations on the availability of labeling are solely for cybersecurity information or for the entire product. I also can’t help feeling that giving consumers more information fails to address the very real need for better education on cybersecurity.

After the publication of this white paper, NIST met with stakeholders, including industry associations, consumer representatives, companies and standards and conformity assessment bodies. Their May 2022 summary report, “Report for the Assistant to the President for National Security Affairs (APNSA) on Cybersecurity Labeling for Consumers: Internet of Things (IoT) Devices and Software,” reflects the inputs of these stakeholders. While generally positive, stakeholders did voice their concerns about consumer education, consistency in labeling content/design and the overall program incentives.

“Profile of the IoT Core Baseline for Consumer IoT Products,” released in June 2022, is a public draft that builds off of the previous white paper with input from the stakeholder report. I’m no cybersecurity expert, but I noticed the emphasis on basic principles of good software design, like configuration management, identification, life expectancy, documentation and education, that supports their suggestions. It’s reminiscent of medical device software QMS, but general enough to apply to any technology sector. Both this document and its predecessors rightfully emphasize human factors, usability and ergonomics.

The NIST site has a ton of great resources worth sinking your teeth into, but the last one I want to highlight is “Workshop Summary Report for “Building on the NIST Foundations: Next Steps in IoT Cybersecurity.” This report summarizes keynote presentations from NIST’s June 2022 virtual workshop, identifies their key takeaways based on workshop discussions and Q&A, and shows the results of online polls conducted during the workshop.

NIST’s final guidance on cybersecurity labeling is still a ways off, but MedTech needs to get involved in this work today. The perspectives of medical device industry personnel need to be captured in these requirements, or we run the risk of letting another industry over-prescribe how we accomplish labeling, education and other changes. We also need to stay engaged with NIST, so that when requirements change we’re able to implement them as quickly as possible into our own ways of working. By taking the time to review these draft proposals and give your input, you’re giving MedTech a voice in these decisions.

About the Author

Elisabeth George is an experienced leader, business executive and consultant committed to shaping and leading global organizations in continuous improvement and innovative ways of using standards and regulations, not only for compliance but also for supporting customer value. She frequently speaks at Industry and Standards Conferences where stakeholders from Regulators, Industry and Users (Clinicians & Patients) participate. She is a recent recipient of the NEMA Röntgen Award and the ANSI George S. Wham Leadership Medal recognizing her leadership and drive. She is committed to making an impact through her skills as a leader, her experience in Medical Device Regulations and Standards and her desire to be a learning partner in delivering positive business outcomes. She is presently serving on the ANSI Board of Directors.

Elisabeth has held senior leadership roles for more than 30 years, joining Haemonetics in 1989 as a Director of Quality and Regulatory to Sr. Director and Vice President of Quality and Regulatory positions with Hewlett Packard, Agilent and Philips.

At Philips she held the positions of Vice President of Quality, Regulatory, Sustainability and Product Security responsibility for two of the major product lines. She also held the position of Vice President/Head of Global Regulations and Standards and represented Philips in trade associations, regulatory body advisory panels and standards development organizations such as AdvaMed, AAMI, ANSI, NEMA, IMDRF and FDA Advisory Panels.

Elisabeth holds a Bachelors in Science, Biomedical Engineering from Boston University and a Masters Certificate in Engineering Management from Northeastern University.