Home 5 Lab Industry Advisor 5 Essential 5 FDA Watch: What Labs Need to Know About New Medical Device Cybersecurity Rules

FDA Watch: What Labs Need to Know About New Medical Device Cybersecurity Rules

by | Sep 29, 2023 | Essential, FDA-lir, Lab Compliance Advisor, Laboratory Industry Report, National Lab Reporter

As of October 1, medical device makers must include information about their products’ vulnerabilities when seeking premarket authorization.

On October 1, the FDA will start enforcing a new federal law addressing the cybersecurity of medical devices. Under the law, companies seeking premarket authorization must include information about the vulnerability of their products to cyberattacks in their submissions. Companies that omit the required cybersecurity information risk receiving a “refuse to accept” (RTA) notice from the agency.1

The New FDA Medical Device Cybersecurity Rules

Connectivity and reliance on software applications make medical devices particularly vulnerable to cyberattacks. One of the greatest risks comes from ransomware—a form of malicious software that can take the embedded computer on a medical device hostage—encrypting its data and preventing its owners from accessing the device until they agree to pay a ransom fee. The FDA has expressed increasing concern about such cyberattacks and, in April 2022, issued draft guidance—which was made final on September 27, 2023—recommending measures device makers should implement to ensure they address cybersecurity during each stage of their product’s life cycle.2 The guidance also calls on device makers to incorporate certain information addressing cybersecurity vulnerability into their premarket submissions.3

FDA Warns Labs of Cybersecurity Vulnerabilities in Illumina NGS Platforms

Less than two months after publishing the 2022 guidance, the FDA issued a letter to providers warning about a potential cybersecurity vulnerability affecting the Local Run Manager software in certain next-generation sequencing instruments produced by Illumina, including the NextSeq 550Dx, MiSeqDx, NextSeq 500, NextSeq 550, MiSeq, iSeq, and MiniSeq.4 Another letter on April 27, 2023, warned providers and lab personnel that a vulnerability in these same Illumina instruments’ Universal Copy Service software poses a risk of unauthorized users remotely seizing control or altering settings, configurations, software, or data on the instrument or a customer’s network, compromising the integrity of test results. The vulnerability also impacted Illumina’s iScan, NextSeq 1000/2000, and NovaSeq 6000 instruments.5

The decisive moment came at the end of 2022 when Congress passed omnibus budget legislation called the Consolidated Appropriations Act, 2023.6 Section 3305 of this act added Section 524B to the Food, Drug, and Cosmetic Act, requiring those seeking premarket authorization for a “cyber device” to take steps to address the product’s cybersecurity vulnerabilities. Section 524B defines cyber device as one that:6

    1. Includes software validated, installed, or authorized by the sponsor as a device or in a device

    1. Has the ability to connect to the internet

  1. Contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threat

Premarket submissions covered by the FDA guidance include 510(k), premarket approval applications (PMA), Product Development Protocols (PDPs), De Novo, Investigational Device Exemptions (IDEs), and Humanitarian Device Exemptions (HDEs).

Compliance Impact on Labs

Although Section 524B officially took effect on March 29, the FDA indicated that it would “work collaboratively” with producers on the new requirements and not issue any RTA notices for failure to comply until October 1.7 Now the grace period is ending and compliance with Section 524B cybersecurity standards will be mandatory to avoid RTA notices. Specifically, Section 524B(b) requires device makers to take three sets of measures:7

    1. “Submit a plan to monitor, identify, and address…postmarket cybersecurity vulnerabilities…including coordinated vulnerability disclosure and related procedures”

    1. “Design, develop, and maintain processes” providing “reasonable assurance that the device and related systems are cybersecure,” which includes making available “postmarket updates and patches”

  1. “Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components”

Takeaway and How to Comply

The legislation lays out the general cybersecurity principles and leaves it to the FDA to determine the actual steps device makers should take to achieve them. The now finalized FDA guidance fleshes out many crucial details, including those regarding two crucial aspects of compliance:

1. Product Design Cybersecurity Compliance Strategy

The final guidance offers an end-to-end strategy for device makers to tackle the cybersecurity issue across a product’s total life cycle, both premarket and postmarket. Key recommendations include:8

    • Incorporate threat modeling into the product design process to anticipate possible types of cyberattacks and mitigation strategies.

    • Use a security architecture that maps out all end-to-end connections into and/or out of the system, and include the architecture in the premarket submission.

    • Perform cybersecurity testing not simply to verify, but also demonstrate the effectiveness of design controls in responding to cyberthreats under actual conditions.

  • Use product labels to warn device users of product-specific cybersecurity threats, determine whether the device has been compromised, and take appropriate response action.

2. Premarket Submission Compliance Strategy

The guidance also says that a premarket submission should incorporate a vulnerability communication plan that lists:8

    • personnel responsible for the device’s cybersecurity;

    • sources, methods, and frequency for monitoring for and identifying vulnerabilities;

    • periodic security testing to test the impact of any vulnerabilities identified;

    • a timeline to develop and release patches;

    • update processes;

    • patching capabilities, i.e., the rate at which updates can be delivered to devices;

    • a description of their coordinated vulnerability disclosure process; and

  • a description of how the manufacturer intends to communicate forthcoming remediations, patches, and updates to customers.

Bottom Line

Technically, the FDA guidance is not legally binding. However, it represents the agency’s current policies and expectations regarding what device makers must do to ensure product cybersecurity. So, unless and until the agency announces official regulations implementing the new Section 524B cybersecurity requirements, following the guidance is likely the best compliance strategy for lab leaders.


    1. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-refuse-accept-policy-cyber-devices-and-related-systems-under-section

    1. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-system-considerations-and-content-premarket-submissions

    1. https://www.g2intelligence.com/fda-lays-out-new-guidelines-for-medical-device-cybersecurity/

    1. https://www.fda.gov/medical-devices/letters-health-care-providers/illumina-cybersecurity-vulnerability-may-present-risks-patient-results-and-customer-networks-letter

    1. https://www.fda.gov/medical-devices/letters-health-care-providers/illumina-cybersecurity-vulnerability-affecting-universal-copy-service-software-may-present-risks

    1. https://www.congress.gov/117/bills/hr2617/BILLS-117hr2617enr.pdf

    1. https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity-medical-devices-frequently-asked-questions-faqs

  1. https://www.fda.gov/media/119933/download


Here are the key new FDA clearances that were announced in the period from August to September 2023:

New FDA Approvals & Emergency Use Authorizations (EUAs)

Manufacturer(s) Product
Princeton BioMeditech EUA for ViraDx SARS-CoV-2/Flu A+B Rapid Antigen Test for simultaneous detection and differentiation of SARS-CoV-2, influenza A, and influenza B
23andMe 510(k) clearance to report 41 additional variants in the BRCA1 and BRCA2 genes linked to risks of breast, ovarian, prostate, and pancreatic cancers
Quest Diagnostics Breakthrough Device designation for AAVrh74 ELISA assay as a companion diagnostic to identify patients eligible for treatment with Sarepta Therapeutics’ ELEVIDYS® (delandistrogene moxeparvovec-rokl), gene therapy for Duchenne muscular dystrophy
LivaNova 510(k) clearance for Essenz In-Line Blood Monitor (ILBM)
PixCell Medical 510(k) clearance for direct capillary sampling with the PixCell HemoScreen™ complete blood count analyzer
Tempus Breakthrough Device designation for HLA-LOH assay as companion diagnostic test for identifying cancer patients with solid tumors who may benefit from treatment with specific targeted therapies

New CE Marks & Global Certifications

Notable European CE certifications announced during the period:

New Approvals in Europe

Manufacturer(s) Product(s)
LivaNova Essenz In-Line Blood Monitor (ILBM)
Thermo Fisher Scientific EXENT® Solution automated mass spectrometry system for diagnosing and assessing patients with monoclonal gammopathies, including multiple myeloma
Agilent Technologies PD-L1 IHC 22C3 pharmDx companion diagnostic assay to identify cancer patients eligible for treatment with anti-PD-1 therapies
Geneseeq Technology GeneseeqPrime and GeneseeqPrime HRD NGS-based kits for solid tumor profiling
Geneseeq Technology Hemasalus DNA/Hemarna RNA NGS-based kit for hematological cancer genomic profiling

Other international clearances announced during the period:

Manufacturer(s) Country Product(s)
Genedrive UK Genedrive® CYP2C19 System to identify stroke patients likely to respond to clopidogrel treatment by testing for six genetic variants of CYP2C19 gene affecting loss of metabolism function and poor activation of clopidogrel
Guardant Health Japan Guardant360® CDx liquid biopsy test as companion diagnostic to select patients with unresectable advanced or recurrent, HER2-mutant, non-small cell lung cancer for treatment with Daiichi Sankyo’s antibody drug conjugate ENHERTU® (trastuzumab deruxtecan)
Bionano Genomics (via its Chinese original equipment manufacturing partner, A-smart MedTech) China G2 direct label and stain (DLS) DNA labeling kit
Bionano Genomics (via its Chinese original equipment manufacturing partner, A-smart MedTech) China G2 SP bone marrow aspirate (BMA) DNA isolation kit

Subscribe to view Essential

Start a Free Trial for immediate access to this article