FDA launches new cybersecurity requirements for medical devices

As medical device technology has become more advanced and connectivity between a growing number of systems and tools throughout medical facilities and organizations has increased, potential cybersecurity gaps and vulnerabilities have also emerged. With threat actors no longer primarily seeking financial information and credit card data and instead looking to breach systems with vast amounts of personal data like hospitals and health systems possess, connected medical devices are under more scrutiny from regulators.

The federal government, for example, recently amended medical device requirements by integrating a new Ensuring Cybersecurity of Devices section to the Federal Food, Drug, and Cosmetic Act. The new guidance helps ensure that products entering the market are more secure, thereby decreasing the likelihood of a security incident stemming from manufactured devices. In addition, the guidelines promote continuous monitoring of the software bill of materials (SBOM) for the timely resolution of higher-risk vulnerabilities.

How new guidelines affect device manufacturers and health care providers

The security requirements apply to manufacturers of cyber devices, including those for medical use, that file for Food and Drug Administration (FDA) approval after March 29, 2023, including 510(k), premarket approval application, Product Development Protocol, De Novo or Humanitarian Device Exemption applicants. While the cybersecurity requirements do not apply to an application or submission to the FDA before March 29, any manufacturer’s change to a previously authorized device that warrants premarket FDA review requires adherence to the new standard.

Although the Ensuring Cybersecurity of Devices requirements is already in place, any FDA submissions prior to Oct. 1, 2023, will not inherently be issued as refuse to accept (RTA). Instead, the FDA will likely work with manufacturers as part of the review process to resolve any potential deficiencies associated with the new requirements and help get them across the compliance finish line. However, that implies that after Oct. 1, manufacturers will likely have to demonstrate requirements adherence through documentation submission or likely face an RTA condition without the collaboration referred to above.

Even if devices are grandfathered into a previous standard, manufacturers should consider bringing them into compliance with new guidelines to generate more confidence in security measures. In addition, while healthcare providers and systems are not held accountable by the new requirements, they may want to evaluate current devices and consider upgrading systems and applications to help ensure that effective protections are in place to help avoid cyberattacks. They can also mitigate potential risks by segregating outdated devices to their own network until they can determine a long-term solution. 

These new guidelines promote a considerable new amount of awareness and responsibility for device manufacturers, with new demands from development to testing, to sustaining the SBOM throughout the device’s life cycle.

Developing an effective compliance approach

What steps should manufacturers and health systems take to help confirm that devices are secure and adhere to the new Ensuring Cybersecurity of Devices guidelines? Both parties should start by creating a documented plan to continuously monitor devices to identify and remediate post-market vulnerabilities. In addition, manufacturers and providers should establish processes and procedures to support the plan to provide assurance that devices are secure and emerging vulnerabilities can be remediated in a timely manner.

Manufacturers must ensure they can produce the SBOM to the FDA, including commercial (e.g., off-the-shelf) and open-source software components. Further, they must demonstrate compliance with future requirements through FDA regulation for additional assurance that devices are secure.

Healthcare organizations should pay close attention when planning device purchases. Just because a hospital or provider makes a device purchase after March 29, 2023, those devices may be grandfathered into the older guidelines and not subject to the new FDA cybersecurity guidelines.

It is important for providers to perform necessary due diligence to ensure expectations are met. 

Moving forward, healthcare providers should integrate an additional testing step before the procurement phase to ensure devices are FDA-ready. This step should confirm that purchased devices are secure and a line of communication should be established with the manufacturer to address any potential future security concerns.

The risks of noncompliance will continue for quite some time, so maintaining contact with manufacturers will be critical for providers.

Getting the right advice

The considerable advances in medical device technology have increased efficiency, insight, and the quality of patient care. However, the increased connectivity in an extremely expansive number of devices has also created more potential for cybersecurity vulnerabilities. With increased FDA oversight, both manufacturers and healthcare providers need to adapt processes to ensure devices are in line with new security expectations.

RSM’s experienced consultants can advise device manufacturers and healthcare providers on how to align with the new Ensuring Cybersecurity of Devices guidelines. For example, our team can provide targeted penetration testing of cyber devices prior to FDA filing, SBOM documentation, process design for both pre-and post-market continuous vulnerability identification and remediation, and managed vulnerability management program vulnerability (e.g., periodic and defined vulnerability scanning).

Contact our team to learn how we can work with you to develop an FDA-compliant approach to medical device development, production, and maintenance.