Cybersecurity in Medical Devices

Introduction

In recent years, the intersection of healthcare and technology has led to significant advancements in medical devices, improving patient care and treatment outcomes. However, this convergence has also brought about a new set of challenges, particularly in the realm of cybersecurity. As medical devices become more interconnected and reliant on software, the potential vulnerabilities they face from cyber threats have become a growing concern. In response to these concerns, legislative measures have been taken to ensure the cybersecurity of medical devices. One such measure is the Consolidated Appropriations Act, 2023, which introduced amendments to the Federal Food, Drug, and Cosmetic Act (FD&C Act) to enhance the cybersecurity of medical devices.

The Consolidated Appropriations Act, 2023 and Medical Device Cybersecurity

Understanding Section 524B of the FD&C Act

On December 29, 2022, the Consolidated Appropriations Act, 2023, commonly referred to as the "Omnibus," was signed into law. Among its provisions, Section 3305 of the Omnibus focuses on "Ensuring Cybersecurity of Medical Devices." This section introduced a significant amendment to the Federal Food, Drug, and Cosmetic Act by adding section 524B, which is dedicated to the cybersecurity of medical devices.

The key aspects of section 524B are as follows:

Defining the Scope

Section 524B(a) of the FD&C Act applies to individuals or entities submitting premarket applications or submissions for medical devices that fall within the definition of a "cyber device" as outlined in section 524B(c). A cyber device is broadly described as a device that includes software authorized by the sponsor, can connect to the internet, and possesses technological characteristics that could be vulnerable to cybersecurity threats.

Compliance Timeline

Manufacturers submitting premarket applications or submissions for cyber devices are required to comply with the provisions of section 524B starting from March 29, 2023. This includes various types of premarket submissions, such as 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE). However, it's important to note that the law does not apply retroactively to submissions made before March 29, 2023.

Cybersecurity Requirements

Section 524B(b) of the FD&C Act outlines the specific cybersecurity requirements that manufacturers of cyber devices need to address:

1. Vulnerability Management Plan: Manufacturers must submit a plan detailing how they will monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits. This includes procedures for coordinated vulnerability disclosure.
2. Cybersecurity Process and Procedures: Manufacturers must design, develop, and maintain processes and procedures that ensure the cyber device and related systems are cybersecure. Additionally, they must provide postmarket updates and patches for these systems.
3. Software Bill of Materials (SBOM): Manufacturers are required to provide an SBOM containing a comprehensive list of commercial, open-source, and off-the-shelf software components within the device.

The FDA also has the authority to issue additional regulations pertaining to cybersecurity, ensuring that devices and their related systems are reasonably secure against cyber threats.

Addressing Manufacturers' Questions

Who is Required to Comply?

Manufacturers submitting premarket applications for devices meeting the definition of a cyber device under section 524B(c) are obligated to adhere to the requirements of section 524B(a) and (b) of the FD&C Act. This includes a variety of premarket submissions like 510(k), PMA, PDP, De Novo, and HDE.

Defining a Cyber Device

A cyber device, as defined in section 524B(c), encompasses devices that have sponsor-authorized software, internet connectivity, and technological characteristics vulnerable to cybersecurity threats. If manufacturers are uncertain about whether their device qualifies as a cyber device, they can seek clarification from the FDA.

Applying the Law Retroactively

While the cybersecurity requirements do not apply to submissions made before March 29, 2023, changes to previously authorized cyber devices that require premarket review by the FDA would fall under the purview of this law.

Demonstrating Compliance

Manufacturers must demonstrate compliance with the cybersecurity requirements outlined in section 524B(b) of the FD&C Act. This entails submitting plans for vulnerability management, designing secure processes, providing updates and patches, and presenting an SBOM.

Leveraging Available Resources

Manufacturers can draw from various resources to meet the requirements of section 524B(b):

• FDA Guidance: The 2014 FDA guidance "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" and the 2016 guidance "Postmarket Management of Cybersecurity in Medical Devices" offer recommendations for managing cybersecurity throughout a device's lifecycle.
• Consensus Standards: Recognized consensus standards like AAMI/UL 2900-1:2017 and IEC 810001-5-1:2021 provide valuable support for cybersecurity documentation.
• Software Component Transparency: The October 2021 NTIA Multistakeholder Process on Software Component Transparency document "Framing Software Component Transparency" offers insights into creating a common SBOM.

Conclusion

The increasing integration of technology into medical devices offers unprecedented benefits to patient care but also exposes devices to new cybersecurity risks. The Consolidated Appropriations Act, 2023, recognizes the significance of safeguarding medical devices against cyber threats. Section 524B of the FD&C Act provides a framework for manufacturers to ensure the cybersecurity of their devices, addressing vulnerabilities, providing updates, and enhancing transparency. By complying with these regulations and utilizing available resources, manufacturers can play a pivotal role in creating a safer and more secure medical device landscape.