FDA Medical Device Cybersecurity Requirements: New Mandate & Enforcement Schedule

Cybersecurity of medical devices has been an increasing area of focus by the United States government in recent years.  The FDA has previously issued cybersecurity guidance for medical device premarket submissions with the most recent draft update published in April of 2022.  Until recently, this guidance was non-binding; however, this changed with the passage of the FY2023 Omnibus Appropriations Bill in December 2022.  Included in this bill was an update to the Food, Drug, and Cosmetic (FD&C) Act requiring medical device cybersecurity controls and processes for FDA approval.

Specifically, the law now requires medical device manufacturers to:

1. Submit a plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits including coordinated vulnerability disclosure and related procedures.
2. Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to address vulnerabilities.
3. Provide a software bill of materials
4. Comply with other requirements the FDA may adopt to demonstrate reasonable assurance that the device and related systems are cybersecure.

On March 29^th, the FDA issued guidance on Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act.  This guidance indicates that the FDA does not intend to issue refusal to accept (RTA) responses to medical device submissions based on these new requirements prior to October 1, 2023.  Until that date, the FDA will work collaboratively with sponsors of premarket submissions to address these requirements as part of the interactive and/or deficiency review process.  Beginning October 1^st, the FDA may RTA premarket submissions that do not include these new cybersecurity requirements.

So, what does this mean for medical device manufacturers?  Medical devices must demonstrate cybersecurity capabilities and the submitting companies must demonstrate how they will maintain this security for the lifetime of the device and associated systems.  Until October, the FDA will work with device approval submitters through the review process.  However, afterward, the FDA may reject submissions prior to the full review with an RTA.

To meet these requirements, we recommend:

1. Implement a vulnerability management plan that includes processes for tracking software component vulnerabilities through SBOM maintenance, accepts vulnerability notifications from third parties, notifies the market of these vulnerabilities, and addresses postmarket vulnerabilities and exploits through device software updates. The FDA will be looking for the ability to issue regular software updates to address non-critical vulnerabilities and timely updates to address any critical vulnerabilities.
2. Adopt a secure product development framework to implement a risk-based approach to device security by design. Create a risk assessment for the device and related systems and integrate the needed security controls into the original device design.  For best practice device security controls, consider the 2016 Postmarket Management of Cybersecurity in Medical Devices FDA guidance, the April 2022 medical device cybersecurity FDA draft guidance, and IoT device cybersecurity reference standards such as NISTIR 8259.  For example, the current FDA draft guidance recommends the following medical device security controls: Authentication, Authorization, Cryptography, Code/Data/Execution Integrity, Confidentiality, Event Detection Logging, Resiliency/Recovery, and Updateability/Patchability.  These controls are intended to ensure that medical devices cannot be accessed or tampered with by bad actors, to protect sensitive data and patient health, to monitor devices for intrusions and exploits, and to be able to quickly update a device’s security.
3. Assess your current devices and processes for their cybersecurity postures. Analysis of current in-market products will help to understand current and future cybersecurity vulnerabilities and needs.

The FDA is expected to finalize the Cybersecurity in Medical Devices Guidance in 2023, which may place additional requirements on device premarket submissions. Medical device manufacturers should stay informed of these developments and adjust their cybersecurity practices accordingly.

Stay tuned for future articles from BG Networks on device security best practices and implementation guidance.  To learn more about our device cybersecurity software and services, please visit www.bgnetworks.com or contact us via email at [email protected].

References:

1. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-system-considerations-and-content-premarket-submissions
2. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-system-considerations-and-content-premarket-submissions
3. https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity-medical-devices-frequently-asked-questions-faqs
4. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/postmarket-management-cybersecurity-medical-devices
5. https://csrc.nist.gov/publications/detail/nistir/8259/final