FDA raises the bar for cybersecurity in medical devices, requires premarket submission for cyber devices

The U.S. Department of Health & Human Services (HHS) Food and Drug Administration (FDA) agency published Wednesday final guidance establishing new cybersecurity requirements for cyber devices, which includes information that a sponsor of a premarket submission for a cyber device must provide in its submission. The document also requires healthcare stakeholders to bring into their infrastructure cybersecurity provisions that cover software bill of materials (SBOM) and vulnerability disclosure reporting. 

The guidance document titled “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act,” states that section 3305 of the Consolidated Appropriations Act, 2023 amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B helps ensure cybersecurity of devices. Furthermore, the law states that the amendments to the FD&C Act shall take effect 90 days after the enactment of the Act on March 29, 2023. 

As provided by the Act, the cybersecurity requirements do not apply to an application or submission submitted to the FDA before March 29, 2023. FDA has determined that it is not feasible to obtain public comment prior to the 90-day statutory timeframe for the effective date of section 524B of the FD&C Act. Although this policy is being implemented immediately without prior comment, FDA will consider all comments received and revise the guidance document as appropriate.

The FDA said that medical devices are increasingly connected to the Internet, hospital networks, and other medical devices to provide features that improve health care and increase the ability of health care providers to treat patients. These same features also increase potential cybersecurity risks. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.

Threats and vulnerabilities cannot be eliminated and reducing cybersecurity risks is especially challenging. The healthcare environment is complex, and manufacturers, hospitals, and facilities must work together to manage cybersecurity risks.

The FDA generally intends not to issue ‘refuse to accept’ (RTA) decisions for premarket submissions submitted for cyber devices based solely on information required by the new amendments to the FD&C Act for ensuring cybersecurity of devices before Oct. 1, 2023. Instead the agency chooses to work collaboratively with sponsors of such premarket submissions as part of the interactive and/or deficiency review process.

RTA is a policy that the FDA implemented for premarket notification submissions (i.e., 510k) in 2012, and the process occurs during the first 15 calendar days of the FDA review process, Rob Packard wrote in a blog post for the Medical Device Academy. “The FDA assigns a preliminary reviewer to perform the RTA screening of the submission, and the person completes an RTA checklist. The FDA substitutes an RTA screening with a technical screening for FDA eSTAR templates, and this is one of the reasons why Medical Device Academy uses the FDA eSTAR templates for all 510k submissions and De Novo classification requests instead of using the older 510k format and content requirements with 20 sections.”

The guidance document outline that effective March 29, 2023, among the cybersecurity provision of section 524B are the mandates that a person who submits an application or submission under section 510(k), 513, 515(c), 515(f), or 520(m) for a device that meets the definition of a cyber device under this section “shall include such information as [FDA] may require to ensure that such cyber device meets the cybersecurity requirements.”

The guidance also said that the sponsor of an application or submission shall submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures. 

The sponsor will also provide design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure. They shall also make available postmarket updates and patches to the device and related systems to address on a reasonably justified regular cycle, known unacceptable vulnerabilities, and as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks.

The sponsor will also be required to provide to the Secretary a SBOM (software bill of materials), including commercial, open-source, and off-the-shelf software components. They must also comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.

The guidance also specified that for premarket submissions submitted for cyber devices before Oct. 1, 2023, FDA generally intends not to issue RTA decisions based solely on information required by section 524B of the FD&C Act. “Instead, FDA intends to work collaboratively with sponsors of such premarket submissions as part of the interactive and/or deficiency review process.” 

Commenting on this aspect, Packard wrote that “we believe the FDA will update the eSTAR template to include requirements for cybersecurity on October 1, 2023. It will not be possible to submit a 510k that does not include the cybersecurity requirements in future eSTAR templates, because the eSTAR automatically verifies the completion of each section in the template.”

The guidance added that beginning Oct. 1, 2023, “FDA expects that sponsors of cyber devices will have had sufficient time to prepare premarket submissions that contain information required by section 524B of the FD&C Act, and FDA may RTA premarket submissions that do not.”

The document outlines a cyber device to cover a device that includes software validated, installed, or authorized by the sponsor as a device or in a device. It also has the ability to connect to the internet and contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.

Explaining what it means to a company building a medical ‘cyber device,’ Mike Kijewski, co-founder of MedCrypt and Gamma Basics, wrote in a Medium post that “it is now a requirement that you build your device to be secure by design, develop strategies to monitor and maintain the security of that device postmarket and for the life of the device, generate and maintain a software bill of materials, and generate the requisite documentation proving you’ve done so as part of your FDA regulatory submission.”

On the expectation of another cybersecurity guidance, Packard wrote that “a draft was released in 2018, and an updated draft was released in 2022. The final updated guidance is included in the A-list of FDA priorities for final guidance documents, but the updated final version has not been released yet.”

He also flagged that the FDA webpage for cybersecurity was updated to include this new guidance on RTA policy for cybersecurity devices. “We believe this indicates that the updated final version will be released soon.”

Last April, the FDA released draft guidance that provides recommendations to the healthcare industry regarding cybersecurity device design, labeling, and the documentation that the agency recommends to be included in premarket submissions for devices with cybersecurity risks. These recommendations can facilitate an efficient premarket review process and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.