FDA Watch: What Labs Need to Know About New Medical Device Cybersecurity Rules
As of October 1, medical device makers must include information about their products’ vulnerabilities when seeking premarket authorization.
On October 1, the FDA will start enforcing a new federal law addressing the cybersecurity of medical devices. Under the law, companies seeking premarket authorization must include information about the vulnerability of their products to cyberattacks in their submissions. Companies that omit the required cybersecurity information risk receiving a “refuse to accept” (RTA) notice from the agency.1
The New FDA Medical Device Cybersecurity Rules
Connectivity and reliance on software applications make medical devices particularly vulnerable to cyberattacks. One of the greatest risks comes from ransomware—a form of malicious software that can take the embedded computer on a medical device hostage—encrypting its data and preventing its owners from accessing the device until they agree to pay a ransom fee. The FDA has expressed increasing concern about such cyberattacks and, in April 2022, issued draft guidance—which was made final on September 27, 2023—recommending measures device makers should implement to ensure they address cybersecurity during each stage of their product’s life cycle.2 The guidance also calls on device makers to incorporate certain information addressing cybersecurity vulnerability into their premarket submissions.3
FDA Warns Labs of Cybersecurity Vulnerabilities in Illumina NGS Platforms
The decisive moment came at the end of 2022 when Congress passed omnibus budget legislation called the Consolidated Appropriations Act, 2023.6 Section 3305 of this act added Section 524B to the Food, Drug, and Cosmetic Act, requiring those seeking premarket authorization for a “cyber device” to take steps to address the product’s cybersecurity vulnerabilities. Section 524B defines cyber device as one that:6
- Includes software validated, installed, or authorized by the sponsor as a device or in a device
- Has the ability to connect to the internet
- Contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threat
Premarket submissions covered by the FDA guidance include 510(k), premarket approval applications (PMA), Product Development Protocols (PDPs), De Novo, Investigational Device Exemptions (IDEs), and Humanitarian Device Exemptions (HDEs).
Compliance Impact on Labs
Although Section 524B officially took effect on March 29, the FDA indicated that it would “work collaboratively” with producers on the new requirements and not issue any RTA notices for failure to comply until October 1.7 Now the grace period is ending and compliance with Section 524B cybersecurity standards will be mandatory to avoid RTA notices. Specifically, Section 524B(b) requires device makers to take three sets of measures:7
- “Submit a plan to monitor, identify, and address…postmarket cybersecurity vulnerabilities…including coordinated vulnerability disclosure and related procedures”
- “Design, develop, and maintain processes” providing “reasonable assurance that the device and related systems are cybersecure,” which includes making available “postmarket updates and patches”
- “Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components”
Takeaway and How to Comply
The legislation lays out the general cybersecurity principles and leaves it to the FDA to determine the actual steps device makers should take to achieve them. The now finalized FDA guidance fleshes out many crucial details, including those regarding two crucial aspects of compliance:
1. Product Design Cybersecurity Compliance Strategy
The final guidance offers an end-to-end strategy for device makers to tackle the cybersecurity issue across a product’s total life cycle, both premarket and postmarket. Key recommendations include:8
- Incorporate threat modeling into the product design process to anticipate possible types of cyberattacks and mitigation strategies.
- Use a security architecture that maps out all end-to-end connections into and/or out of the system, and include the architecture in the premarket submission.
- Perform cybersecurity testing not simply to verify, but also demonstrate the effectiveness of design controls in responding to cyberthreats under actual conditions.
- Use product labels to warn device users of product-specific cybersecurity threats, determine whether the device has been compromised, and take appropriate response action.
2. Premarket Submission Compliance Strategy
The guidance also says that a premarket submission should incorporate a vulnerability communication plan that lists:8
- personnel responsible for the device’s cybersecurity;
- sources, methods, and frequency for monitoring for and identifying vulnerabilities;
- periodic security testing to test the impact of any vulnerabilities identified;
- a timeline to develop and release patches;
- update processes;
- patching capabilities, i.e., the rate at which updates can be delivered to devices;
- a description of their coordinated vulnerability disclosure process; and
- a description of how the manufacturer intends to communicate forthcoming remediations, patches, and updates to customers.
Technically, the FDA guidance is not legally binding. However, it represents the agency’s current policies and expectations regarding what device makers must do to ensure product cybersecurity. So, unless and until the agency announces official regulations implementing the new Section 524B cybersecurity requirements, following the guidance is likely the best compliance strategy for lab leaders.
Here are the key new FDA clearances that were announced in the period from August to September 2023:
New FDA Approvals & Emergency Use Authorizations (EUAs)
|Princeton BioMeditech||EUA for ViraDx SARS-CoV-2/Flu A+B Rapid Antigen Test for simultaneous detection and differentiation of SARS-CoV-2, influenza A, and influenza B|
|23andMe||510(k) clearance to report 41 additional variants in the BRCA1 and BRCA2 genes linked to risks of breast, ovarian, prostate, and pancreatic cancers|
|Quest Diagnostics||Breakthrough Device designation for AAVrh74 ELISA assay as a companion diagnostic to identify patients eligible for treatment with Sarepta Therapeutics’ ELEVIDYS® (delandistrogene moxeparvovec-rokl), gene therapy for Duchenne muscular dystrophy|
|LivaNova||510(k) clearance for Essenz™ In-Line Blood Monitor (ILBM)|
|PixCell Medical||510(k) clearance for direct capillary sampling with the PixCell HemoScreen™ complete blood count analyzer|
|Tempus||Breakthrough Device designation for HLA-LOH assay as companion diagnostic test for identifying cancer patients with solid tumors who may benefit from treatment with specific targeted therapies|
New CE Marks & Global Certifications
Notable European CE certifications announced during the period:
New Approvals in Europe
|LivaNova||Essenz™ In-Line Blood Monitor (ILBM)|
|Thermo Fisher Scientific||EXENT® Solution automated mass spectrometry system for diagnosing and assessing patients with monoclonal gammopathies, including multiple myeloma|
|Agilent Technologies||PD-L1 IHC 22C3 pharmDx companion diagnostic assay to identify cancer patients eligible for treatment with anti-PD-1 therapies|
|Geneseeq Technology||GeneseeqPrime™ and GeneseeqPrime™ HRD NGS-based kits for solid tumor profiling|
|Geneseeq Technology||Hemasalus™ DNA/Hemarna™ RNA NGS-based kit for hematological cancer genomic profiling|
Other international clearances announced during the period:
|Genedrive||UK||Genedrive® CYP2C19 System to identify stroke patients likely to respond to clopidogrel treatment by testing for six genetic variants of CYP2C19 gene affecting loss of metabolism function and poor activation of clopidogrel|
|Guardant Health||Japan||Guardant360® CDx liquid biopsy test as companion diagnostic to select patients with unresectable advanced or recurrent, HER2-mutant, non-small cell lung cancer for treatment with Daiichi Sankyo’s antibody drug conjugate ENHERTU® (trastuzumab deruxtecan)|
|Bionano Genomics (via its Chinese original equipment manufacturing partner, A-smart MedTech)||China||G2 direct label and stain (DLS) DNA labeling kit|
|Bionano Genomics (via its Chinese original equipment manufacturing partner, A-smart MedTech)||China||G2 SP bone marrow aspirate (BMA) DNA isolation kit|
Subscribe to view Essential
Start a Free Trial for immediate access to this article