FDA Cybersecurity Guidance
The Internet of Things (IoT) has revolutionized healthcare for several years. The challenge is that connected devices send data across networks to databases, all of which may be vulnerable to cyber attacks if they are not adequately secured.
Advanced medical devices also need to be maintained and updated. Some aging devices represent technical debt for providers and healthcare delivery organizations. Technical debt refers to outdated software components that are still in use and require updates, or in some cases, are not supported by the manufacturer anymore.
Below is a useful, if sobering, overview of the risks and repercussions of cybercrime and connected medical devices.
Innovation always outpaces regulation, and the medical device sector is no exception.
The FDA and other regulatory bodies are working to update regulations to provide higher levels of cybersecurity across the spectrum of connected medical devices. Share on XOn March 29, 2023, Section 3505, “Ensuring Cybersecurity of Medical Devices” of the 2023 Consolidated Appropriations Act amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, which focuses on ensuring the cybersecurity of devices.
By the end of March, the FDA began using these new protocols to make regulatory decisions on medical devices. Applications submitted before this date were not subject to the new guidance.
Below we look at an overview of the changing landscape. The good news is, as one expert points out, that the FDA has not imposed anything that most medical device manufacturers are not already aware of and include in their compliance plans.
The FDA’s Role in Regulating Cybersecurity in Medical Devices
The FDA plays an increasingly critical role in regulating cybersecurity in medical devices. The agency has established guidelines and requirements for medical device manufacturers to follow to ensure their devices are secure.
These guidelines include risk management processes, vulnerability assessment, and reporting requirements for cybersecurity incidents. Additionally, the FDA provides guidance on how medical device manufacturers should respond to cybersecurity threats and incidents to minimize their impact.
Effective cybersecurity action requires cooperation among all medical device stakeholders. The FDA works closely with the U.S. Department of Homeland Security (DHS), private sector members, medical device manufacturers, healthcare delivery organizations, security researchers, and end users to enhance the security of the U.S. critical cyber infrastructure.
Updated FDA Guidance on Cybersecurity for Medical Devices
Previously published cybersecurity guidelines focused on post-market monitoring rather than preemptive measures to prevent cyberattacks. They centered on standards for issuing notices and recalls but did not propose measures for pre-emptive risk management during device development and pre-market approval.
The updated guidance modifies the recommended documents and content of pre-market submissions. According to the new policy, device manufacturers or researchers submitting a medical device for FDA approval must include a plan in their initial application to monitor and address post-market cybersecurity vulnerabilities and exploits within a reasonable time frame.
In addition to post-market protocols, the application should provide “reasonable assurance” for security throughout the product life cycle.
Manufacturers must describe the design, development, and maintenance processes that ensure a medical device’s safety during unacceptable and critical vulnerabilities. The new cybersecurity requirements require manufacturers seeking FDA approval to include a software bill of materials (SBOM) and comply with other requests from the organization.
FDA Cybersecurity Update Implications for Advanced Medical Device Companies
Although the FDA suggests that these guidelines are merely recommendations, stakeholders who do not already adhere to them will likely face delays or rejection during application approval and potential repercussions and penalties in the event of a data breach, disruption, or cybersecurity issue.
Furthermore, these standards are likely to be referenced by other organizations, such as the FTC and Department of Health and Human Services (to enforce HIPAA). In the event of a breach and subsequent class action lawsuit, lawyers may use these guidelines, specifically noncompliance, to build a case against a manufacturer.
The FDA is clear that the medical device manufacturer is responsible for validating all software design changes, including computer software changes that address cybersecurity vulnerabilities.
The medical product manufacturer is responsible for conducting pre-market testing. Medical device manufacturers that opt to use off-the-shelf (OTS) software must bear responsibility for their medical devices’ security and safe and effective performance.
Although the protocols are currently in effect, the FDA indicated that until October 1, 2023, it would not refuse to accept applications based on missed application materials from the new guidelines. During this period, manufacturers and sponsors will work closely with the FDA in the review process to address known risks. After October 1, all applicants will need to comply with the guidelines.
Best Practices for Medical Device Cybersecurity
A medical device’s unique purpose and function determine specific best practices for cybersecurity. Here are general best practices for medical device cybersecurity to reduce the risk of damage from cyber attacks:
- Secure Software Development
- Risk Assessment
- Third-Party Vetting
- Secure Configuration Management
- Incident Response Planning
- User Awareness and Training
- Security Updates and Patch Management
- Access Control and Authentication
For a deeper dive, you can also check out our popular post-Cybersecurity for Connected Medical Devices: Best Practices 2022
Moving Ahead
Connected and cloud-based healthcare technology is accelerating as regulatory agencies walk the fine line between keeping up with innovation and fulfilling their mandate to keep patients and their data safe. Cybersecurity and related regulations will be a moving target for the next few years.
Do you have questions about the FDAs evolving cybersecurity guidance? Could you use a trusted partner by your side on this journey? At Galen Data, we’re in the business of building relationships for the long haul.
We have deep experience and current expertise with the latest connected device cybersecurity measures. We are happy to walk through some scenarios with you. Reach out today to get the conversation started.