What You Need to Know: FDA Updates to Medical Device Cybersecurity

In March, the FDA announced that a new policy rolling out could cause acceptance issues for Medical Device manufacturers and their creations.

• News:?FDA requires medical devices be secured against cyberattacks | CNN Business
• FDA guidance issued on March 30?Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FDC Act (fda.gov)

The policy requires that all new medical device applicants must now submit a plan on how to “monitor, identify, and address” cybersecurity issues. Applicants must also create a process that provides “reasonable assurance” that the device in question is protected. Finally, applicants will need to make security updates and patches available both on a regular schedule and in critical situations. Applicants must also provide the FDA with “a software bill of materials,” including any open-source or other software their devices use.

The new security requirements came into effect as part of the sweeping?$1.7 trillion federal omnibus spending bill?signed by President Joe Biden in December. As part of the new law, the FDA must also update its medical device cybersecurity guidance at least every two years.

So, what does this mean for Medical Device manufacturers? It says a lot, but the underlying message is this: If there are cybersecurity flaws in medical devices that can impact patient safety or hospital safety, or have other serious cybersecurity implications, the device will not be sold until the flaws are remedied. This may mean delays costing millions, as well as possibly necessitating re-submission of the Premarket Notification 510(k) submission package for the device in question.

For companies that follow the FDA’s recommended UL2900 series of recommended cybersecurity controls for connected medical devices, most of the paperwork portions including the software bill of materials should already be generated as artifacts in a form that should be presentable to the FDA.

If not, these documents would need to be generated at record speed before the device is presented for a 510(k) submission to the FDA. According to the FDA website, “A 510(k) is a premarket submission made to FDA to demonstrate that the device to be marketed is as safe and effective, that is, substantially equivalent, to a legally marketed device (section 513(i)(1)(A) FD&C Act). Submitters must compare their device to one or more similar legally marketed devices and make and support their substantial equivalence claims.”[1]

That brings us to more interesting artifacts better aligned with my expertise: penetration test artifacts that must be submitted to the FDA. This is where things may get more difficult for device manufacturers, depending on how they align their tests.

Click here to read the rest of the article on the Secureworks Blog.