FDA Watch: What Labs Need to Know About New Medical Device Cybersecurity Rules

On October 1, the FDA will start enforcing a new federal law addressing the cybersecurity of medical devices. Under the law, companies seeking premarket authorization must include information about the vulnerability of their products to cyberattacks in their submissions. Companies that omit the required cybersecurity information risk receiving a “refuse to accept” (RTA) notice from the agency.¹

The New FDA Medical Device Cybersecurity Rules

Connectivity and reliance on software applications make medical devices particularly vulnerable to cyberattacks. One of the greatest risks comes from ransomware—a form of malicious software that can take the embedded computer on a medical device hostage—encrypting its data and preventing its owners from accessing the device until they agree to pay a ransom fee. The FDA has expressed increasing concern about such cyberattacks and, in April 2022, issued draft guidance—which was made final on September 27, 2023—recommending measures device makers should implement to ensure they address cybersecurity during each stage of their product’s life cycle.² The guidance also calls on device makers to incorporate certain information addressing cybersecurity vulnerability into their premarket submissions.³

The decisive moment came at the end of 2022 when Congress passed omnibus budget legislation called the Consolidated Appropriations Act, 2023.⁶ Section 3305 of this act added Section 524B to the Food, Drug, and Cosmetic Act, requiring those seeking premarket authorization for a “cyber device” to take steps to address the product’s cybersecurity vulnerabilities. Section 524B defines cyber device as one that:⁶

1. 1. Includes software validated, installed, or authorized by the sponsor as a device or in a device

1. 1. Has the ability to connect to the internet

1. Contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threat

Premarket submissions covered by the FDA guidance include 510(k), premarket approval applications (PMA), Product Development Protocols (PDPs), De Novo, Investigational Device Exemptions (IDEs), and Humanitarian Device Exemptions (HDEs).

Compliance Impact on Labs

Although Section 524B officially took effect on March 29, the FDA indicated that it would “work collaboratively” with producers on the new requirements and not issue any RTA notices for failure to comply until October 1.⁷ Now the grace period is ending and compliance with Section 524B cybersecurity standards will be mandatory to avoid RTA notices. Specifically, Section 524B(b) requires device makers to take three sets of measures:⁷

1. 1. “Submit a plan to monitor, identify, and address…postmarket cybersecurity vulnerabilities…including coordinated vulnerability disclosure and related procedures”

1. 1. “Design, develop, and maintain processes” providing “reasonable assurance that the device and related systems are cybersecure,” which includes making available “postmarket updates and patches”

1. “Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components”

Takeaway and How to Comply

The legislation lays out the general cybersecurity principles and leaves it to the FDA to determine the actual steps device makers should take to achieve them. The now finalized FDA guidance fleshes out many crucial details, including those regarding two crucial aspects of compliance:

1. Product Design Cybersecurity Compliance Strategy

The final guidance offers an end-to-end strategy for device makers to tackle the cybersecurity issue across a product’s total life cycle, both premarket and postmarket. Key recommendations include:⁸

• • Incorporate threat modeling into the product design process to anticipate possible types of cyberattacks and mitigation strategies.

• • Use a security architecture that maps out all end-to-end connections into and/or out of the system, and include the architecture in the premarket submission.

• • Perform cybersecurity testing not simply to verify, but also demonstrate the effectiveness of design controls in responding to cyberthreats under actual conditions.

• Use product labels to warn device users of product-specific cybersecurity threats, determine whether the device has been compromised, and take appropriate response action.

2. Premarket Submission Compliance Strategy

The guidance also says that a premarket submission should incorporate a vulnerability communication plan that lists:⁸

• • personnel responsible for the device’s cybersecurity;

• • sources, methods, and frequency for monitoring for and identifying vulnerabilities;

• • periodic security testing to test the impact of any vulnerabilities identified;

• • a timeline to develop and release patches;

• • update processes;

• • patching capabilities, i.e., the rate at which updates can be delivered to devices;

• • a description of their coordinated vulnerability disclosure process; and

• a description of how the manufacturer intends to communicate forthcoming remediations, patches, and updates to customers.

Bottom Line

Technically, the FDA guidance is not legally binding. However, it represents the agency’s current policies and expectations regarding what device makers must do to ensure product cybersecurity. So, unless and until the agency announces official regulations implementing the new Section 524B cybersecurity requirements, following the guidance is likely the best compliance strategy for lab leaders.

References:

1. 1. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-refuse-accept-policy-cyber-devices-and-related-systems-under-section

1. 1. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-system-considerations-and-content-premarket-submissions

1. 1. https://www.g2intelligence.com/fda-lays-out-new-guidelines-for-medical-device-cybersecurity/

1. 1. https://www.fda.gov/medical-devices/letters-health-care-providers/illumina-cybersecurity-vulnerability-may-present-risks-patient-results-and-customer-networks-letter

1. 1. https://www.fda.gov/medical-devices/letters-health-care-providers/illumina-cybersecurity-vulnerability-affecting-universal-copy-service-software-may-present-risks

1. 1. https://www.congress.gov/117/bills/hr2617/BILLS-117hr2617enr.pdf

1. 1. https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity-medical-devices-frequently-asked-questions-faqs

1. https://www.fda.gov/media/119933/download

****

Here are the key new FDA clearances that were announced in the period from August to September 2023:

New FDA Approvals & Emergency Use Authorizations (EUAs)

New CE Marks & Global Certifications

Notable European CE certifications announced during the period:

New Approvals in Europe

Other international clearances announced during the period: