Cybersecurity takes Centre stage in the US market:
After Data Interoperability, another aspect that the US government is focusing on in alignment with HHS and FDA is the cybersecurity of Medical Devices. With the increasing market of IoMT devices and increasing use of integrated healthcare systems that are connected to the internet, there will be a rise in the cyber devices and thus, the need for cybersecurity in medical/cyber devices becomes essential for optimum patient safety.
The timeline of occurrences that put Cybersecurity as a priority for Medical Devices Companies:
The Consolidated Appropriations Act, of 2023 (“Omnibus”) was proposed by the US government and an integral part of the 4000+ page proposal was Medical Device’s cybersecurity. On December 29, 2022, the Consolidated Appropriations Act, 2023 (“Omnibus”) was signed into law. The law came into effect on March 29, 2023.
An entire new section 3305 of the Omnibus is dedicated to ensuring the Cybersecurity of Medical Devices and based on the revamped requirements, the law provides FDA with the authority to scrutinize Medical Device applications from the Cybersecurity perspective.
One of the biggest changes that would impact the Medical Device Companies post these revamped security requirements is that from October 1, 2023, the FDA will have the authority to “Refuse To Accept” (RTA) Medical Device applications made under 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE) (while Cybersecurity was a requirement previously, FDA couldn’t reject applications based on Cybersecurity issues before).
To understand which medical devices are under scrutiny, you first must understand how the FDA defines a Cyber Device.
What is a Cyber Device according to the FDA?
Section 524B(c) of the FD&C Act defines “cyber device” as:
“A device that includes software validated, installed, or authorized by the sponsor as a device that can connect to the internet, and contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats.”
This means any device that is vulnerable to cyber threats due to internet connectivity or uses any kind of integration that can provide unauthorized access to the device to cyber attackers is to be considered.
Now that we know which devices are affected by these changes, let’s understand the overview of what the FDA expects Medical Device Companies to ensure when they talk about Cybersecurity.
What are Medical Device Companies supposed to include in Cybersecurity documents that the FDA has revamped and requested?
In the revamped security requirements, an FDA spokesperson stated that Medical Devices Companies must submit documents that provide a detailed “plan to monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures”.
Apart from that, manufacturers are also supposed to submit detailed plans in their Cyber Security documents the procedures that provide a reasonable assurance that the device and systems are cybersecure and incorporate plans to patch and update the device and related systems at the post-market stage.
Apart from the device, its firmware, and software components, Medical Devices sometimes also have 3rd Party Integrations and for that, the manufacturers are also required to provide a software bill of materials (SBOM) for their devices, including commercial, open-source, and off-the-shelf software components to the FDA.
What are the precautions or the steps that Medical Device Manufacturers can now take to include Cybersecurity in their Medical Device development stage and how can they align their product with FDA revamped requirements to avoid RTA? Below are some points to take into consideration:
After all these updates, it is evident that FDA has put security as a priority for Medical Device Companies especially those IoMT and connected devices that are connected to the internet. For all those medical device companies, the right to incorporate is to include security as an aspect right from the start.
Consider security aspects at all levels of Hardware Engineering and SDLC:
Right from designing and developing the medical device, manufacturers will have to factor security into the blueprint of the product. (The FDA even suggests creating a security switch or button that can stop devices from being breached!) Along with that, security measures and precautions must also be considered during the Software Development Lifecycle.
Ensure comprehensive security in the entire digital ecosystem of your device:
To ensure that your device remains cyber secure, medical device companies must consider security in architecture design, while performing threat modeling, during risk analysis as well as during product and software testing!
Thus, when you are testing your product and submitting it to the FDA for approval, be ready to demonstrate that your product is not only functionally, mechanically, electrically, and chemically safe, but also ensure that it is cyber safe.
Think about the present as well as the future:
FDA will ask for annual reports from Medical Device manufacturers regarding their cybersecurity measures. This annual report will incorporate:
- Vulnerabilities faced in the past year
- Steps taken to identify, report, and revert the damage of the vulnerability
- The rationale for choosing the approach to respond to the vulnerability
- References from another device that faced similar challenges (if any), their approach, and their response.
Thus, based on these changes, manufacturers will not only have to ensure Cybersecurity during FDA approval submissions but also post-approval. Also, there are new regulations and changes expected from the FDA in the future, and thus, Medical Device Companies must incorporate processes and procedures to tackle Cybersecurity along with testing frameworks and QA automation processes in place to ensure continuous cybersecurity monitoring.
A steady walk towards a cyber-secure healthcare ecosystem:
Along with submissions and post-approval processes, Medical Device Companies will have to consider functional changes in their SDLC that are suggested by the FDA, and down the line, the Healthcare Industry and MedTech industry must also prepare for the Cyber Security mark that might get issued by FDA to medical devices.
In this 3 blog series that we have started at AIMDek, this is the first blog and the second blog will cover Post-approval maintenance and cybersecurity functional requirements that are guided by the FDA. The third blow will cover information about how Cybersecurity will impact medical devices and what to look for on the horizon in the long run.
So, stay tuned to our blog for these updates and if you have any technology challenges that you are facing with your Medical Device hardware or software, get in touch with our MedTech expert today.