Key Ways to Prepare For Revamped Medical Device Security Requirements

June 01, 2023 - The Consolidated Appropriations Act of 2023 (Omnibus) was signed into law in December 2022, amending the Federal Food, Drug, and Cosmetic Act  to include key medical device security provisions.

The Omnibus signified major changes for medical device manufacturers regarding premarket cybersecurity guidance and solidified the FDA’s commitment to ensuring that security is a top consideration throughout the medical device lifecycle.  

 “Until the omnibus passed, FDA had no statutory authority to ask for cybersecurity. All cybersecurity requests were previously framed within a risk management context,” said Naomi Schwartz, senior director of cybersecurity quality and safety at MedCrypt.

“With the Omnibus, the Food, Drug, and Cosmetic Act was amended to include explicit requirements. This is a first that FDA has a statutory authority to say that you must do certain things for certain types of devices.”

As of March 29, 2023, medical device manufacturers must now provide certain cybersecurity information to the FDA in their premarket device submissions. What’s more, on October 1st, the FDA will begin refusing submissions on the basis of cybersecurity. To avoid setbacks, manufacturers should implement key medical device security best practices today to meet compliance obligations and ensure a smooth device submission process.

Overview of New FDA Requirements, Effective Now

Section 3305 of the Omnibus requires device manufacturers to submit a thorough plan “to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures,” the FDA says on its website.

This requirement will ideally strengthen medical device submissions by requiring manufacturers to plan for future device maintenance and security challenges.

“In other words, if a researcher calls them up and says, ‘I found something,’ they have to have a process that that person can follow that gets the information to them, that they then evaluate and that they communicate if they find that it is valid and problematic for their device,” Schwartz noted.

“They can't just sweep it under the rug and tell researchers to go away, and they have to collect and maintain other information as the secretary may require.”

In addition, manufacturers are now required to demonstrate through assurances that their devices and related systems are cybersecure and make postmarket updates and patches to ensure security. What’s more, the FDA has the authority to issue future regulations to aid in demonstrating reasonable cybersecurity assurances.

“We are basically seeing, in the Food, Drug, and Cosmetic Act, an open-ended ability for the secretary to add new regulation or guidance, as determined by the secretary or by FDA to be necessary, as cybersecurity processes evolve, and as the attack surfaces evolve, and as the attackers evolve,” Schwartz said.

The Omnibus also requires that manufacturers provide a software bill of materials (SBOM) for their devices and associated systems, including commercial, open-source, and off-the-shelf software components.  

As previously reported, SBOMs can be beneficial because they make it easier to monitor and manage vulnerabilities, understand dependencies across application components, and aid in compliance efforts. The FDA has released SBOM guidance in the past and SBOMs have been adopted in other industries, such as the automotive industry. With these resources and examples available, medical device manufacturers can provide the FDA with a complete picture of device components and corresponding security considerations.

All the aforementioned cybersecurity requirements do not apply to devices retroactively. However, if a cyber device was previously authorized and the manufacturer aims to make further changes warranting a premarket review, the law would apply for the updated premarket submission.

How the FDA Defines a “Cyber Device”

An important caveat to consider during the premarket process is how the Federal Food, Drug, and Cosmetic Act defines a “cyber device.” In order to qualify as a cyber device under this Act, the device must meet the following three criteria, as stated by the FDA:

- Include software validated, installed, or authorized by the sponsor as a device or in a device

- Have the ability to connect to the internet

- Contain any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats

It is important to note that while these requirements are in effect right now, there is still room for further development.

“We know that, for example, guidance documents the FDA has published as recently as last year are still in draft format, and I expect the two to come out within the next few months in the final format. And what happened between the initial draft and final is exactly that, the Omnibus Act, which I think will significantly impact how the FDA now will position the final,” said Axel Wirth, chief security strategist at MedCrypt.

“But now regulatory enforcement has teeth, whereas before, it was really more of a polite approach of asking manufacturers to demonstrate that they're compliant. Enforcement is now part of the package, and therefore we expect and speculate that the final guidance will be a significant step forward as compared to what we've seen in the draft.”

What Happens on October 1st?

Starting October 1, 2023, the FDA plans to begin issuing “refuse to accept” (RTA) decisions for premarket submissions that do not fit its cybersecurity requirements. But for submissions received by the FDA between March 29th and October 1st, the FDA will work with manufacturers to resolve issues collaboratively.

“They are also saying that files that have come in before October 1st are going to have these conversations, but interactively rather than through deficiency letters,” Schwartz added.

“Rather than just refusing to accept it, FDA is going to spend the time and review it and tell people what's missing. That's the premarket stick or carrot, depending on how you look at it.”

The FDA has made it clear that it intends to get ahead of cyber risks at the premarket stage, rather than waiting until these devices are implemented in healthcare facilities across the country. Regardless of whether a manufacturer submits before or after October 1st, the submission process will look different than in the past, with a renewed emphasis on tackling cybersecurity challenges head-on.

“On the post-market side, it is complicated for FDA to enforce things like this,” Schwartz stated.“They don't have a rapid mechanism to resolve a vulnerability on the market through their enforcement tools. They can ask for recalls. And recalls can be considered voluntary, but they can also be strongly encouraged by FDA, with the notion that if you are really resistant to it, you may get inspected really soon, and then that would be really problematic because FDA is likely to find all sorts of problems when they do that. The stick is not something that is easily wielded by FDA for cybersecurity.”

In the meantime, manufacturers should focus on implementing known security best practices to prepare for the submission process.

Steps Manufacturers Can Take Now

“A lot of what the FDA has been pushing and will carry forward is a focus on specific security activities as part of the software development lifecycle, and as part of the engineering processes, but then also the testing and release processes,” Wirth said. “And that ranges from early on, considering security in your architecture, performing your threat modeling, your risk analysis, carrying that forward and maintain it through the entire design and development process.”

“Then, in the end, include security in your testing activities. This is not necessarily different than what is done on the non-security side, but typically security adds complexity to it and its own challenges to it. In addition to testing the device, making sure it's functionally safe, mechanically, electrically, and chemically safe, manufacturers also need to demonstrate that it is security safe. And I think that is a very new aspect.”

The FDA has provided manufacturers with a variety of voluntary guidance in the past on medical device security. For example, the FDA’s 2014 "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" guidance explores planning for patches throughout a device’s lifecycle.

In addition, the FDA’s "Postmarket Management of Cybersecurity in Medical Devices,” issued in 2016, dives into patching and remediating vulnerabilities at the postmarket stage. The FDA also encouraged manufacturers to read up on SBOM guidance included in the October 2021 National Telecommunications and Information Administration (NTIA) Multistakeholder Process on Software Component Transparency document "Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)."

Manufacturers can leverage existing guidance to strengthen device security and provide reasonable assurances.

“The expectation for post-market maintenance has been there for a number of years. I think what will be different is enforcement and basically have the manufacturer demonstrate how they plan to maintain post-market security as part of the market approval process,” Schwartz mentioned.

“It is not just demonstrating that the device is secure today, and therefore should be market approved, but also in addition to that, demonstrating that, yes, I have processes and technologies in place, which I plan to use to keep the devices safe once they are in the field. That is a new, relatively new gatekeeping item, which I think many manufacturers will need to get used to.”

The current medical device security landscape consists of thousands of devices on any given hospital network, a plethora of outdated operating systems, and new vulnerability discoveries on a regular basis. Ideally, these new premarket requirements will ease cybersecurity concerns, help manufacturers and healthcare providers manage device risks, and most importantly, provide peace of mind for patients.