Article

FDA launches new cybersecurity requirements for medical devices

New required processes for manufacturers and new considerations for providers

June 22, 2023

Key takeaways

New requirements apply to device manufacturers that apply for FDA approval after March 29, 2023.

bar graph on paper with hands framed by hands

After Oct. 1, manufacturers will likely have to show requirements adherence or face an RTA. 

Providers may want to evaluate current devices and consider upgrades for updated protections.

#
Life sciences Regulatory compliance
Cybersecurity consulting Medtech Hospitals & health systems Health care

As medical device technology has become more advanced and connectivity between a growing number of systems and tools throughout medical facilities and organizations has increased, potential cybersecurity gaps and vulnerabilities have also emerged. With threat actors no longer primarily seeking financial information and credit card data and instead looking to breach systems with vast amounts of personal data like hospitals and health systems possess, connected medical devices are under more scrutiny from regulators.

The federal government, for example, recently amended medical device requirements by integrating a new Ensuring Cybersecurity of Devices section to the Food and Drug Administration’s (FDA) Federal Food, Drug, and Cosmetic Act. The new FDA cybersecurity guidance helps ensure that products entering the market are more secure, thereby decreasing the likelihood of a security incident stemming from manufactured devices. In addition, the guidelines promote continuous monitoring of the software bill of materials (SBOM) for the timely resolution of higher-risk vulnerabilities.

How new FDA cybersecurity guidelines affect device manufacturers and health care providers

The security requirements apply to manufacturers of cyber devices, including those for medical use, that file for FDA approval after March 29, 2023, including 510(k), premarket approval application, Product Development Protocol, De Novo or Humanitarian Device Exemption applicants. While the FDA cybersecurity guidelines do not apply to an application or submission to the FDA before March 29, any manufacturer’s change to a previously authorized device that warrants premarket FDA review requires adherence to the new standard.

Even if devices are grandfathered into a previous standard, manufacturers should consider bringing them into compliance with new FDA cybersecurity guidelines to generate more confidence in security measures. In addition, while health care providers and systems are not held accountable by the new requirements, they may want to evaluate current devices and consider upgrading systems and applications to help ensure that effective protections are in place to help avoid cyberattacks. They can also mitigate potential risks by segregating outdated devices to their own network until they can determine a long-term solution.

The new FDA cybersecurity guidance promotes a considerable new amount of awareness and responsibility for device manufacturers, with new demands from development to testing, to sustaining the SBOM throughout the device’s lifecycle.

Developing an effective compliance approach

What steps should manufacturers and health systems take to help confirm that devices are secure and adhere to the new Ensuring Cybersecurity of Devices guidelines? Both parties should start by creating a documented plan to continuously monitor devices to identify and remediate post-market vulnerabilities. In addition, manufacturers and providers should establish processes and procedures to support the plan to provide assurance that devices are secure and emerging vulnerabilities can be remediated in a timely manner.

Manufacturers must ensure they can produce the SBOM to the FDA, including commercial (e.g., off-the-shelf) and open-source software components. Further, they must demonstrate compliance with future requirements through FDA regulation for additional assurance that devices are secure.

Healthcare organizations should pay close attention when planning device purchases. Just because a hospital or provider makes a device purchase after March 29, 2023, those devices may be grandfathered into the older guidelines and not subject to the new FDA cybersecurity guidelines.

It is important for providers to perform necessary due diligence to ensure FDA cybersecurity expectations are met. 

Moving forward, healthcare providers should integrate an additional testing step before the procurement phase to ensure devices are FDA-ready. This step should confirm that purchased devices are secure and a line of communication should be established with the manufacturer to address any potential future security concerns.

The risks of noncompliance with FDA cybersecurity guidelines will continue for quite some time, so maintaining contact with manufacturers will be critical for providers.

When health care systems make purchases, they should work with the manufacturers to reduce risks, whether they segregate older devices to their own network or actually apply patches because most of the older devices may have inherent risks associated, but many providers may not know what to do with the medical devices.
Paul Fountain, director, RSM US LLP

Getting the right advice

The considerable advances in medical device technology have increased efficiency, insight and the quality of patient care. However, the increased connectivity in an extremely expansive number of devices has also created more potential for cybersecurity vulnerabilities. With increased FDA cybersecurity oversight, both manufacturers and health care providers need to adapt processes to ensure devices are in line with new security expectations.

RSM’s experienced consultants can advise device manufacturers and health care providers on how to align with the new Ensuring Cybersecurity of Devices guidelines. For example, our team can provide targeted penetration testing of cyber devices prior to FDA filing, SBOM documentation, process design for both pre- and post-market continuous vulnerability identification and remediation, and managed vulnerability management program vulnerability (e.g., periodic and defined vulnerability scanning).

Contact our team to learn how we can work with you to develop an FDA-compliant approach to medical device development, production and maintenance.

See related insights

Recorded webcast

Cybersecurity update: Sharpening the focus on security

Hear from our cybersecurity professionals to discuss ransomware attacks and business takeover threats, information and data security, privacy protections compliance and outsourcing cybersecurity.