1-781-407-0900 info@bmtadvisors.com

Cybersecurity in Medical Devices

Boston MedTech Advisors Blog, Updated March 2024

The increasing connectivity of medical devices to the internet, hospital networks, and other devices introduces new vulnerabilities that can impact patient safety and device effectiveness. This guide explores the regulatory landscape of cybersecurity in medical devices, focusing on the Food and Drug Administration’s (FDA) recent guidance documents and how they impact medical device manufacturers.

On December 29, 2022, the Food and Drug Omnibus Reform Act of 2022 (FDORA) was signed by law. The FDORA amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, “Ensuring Cybersecurity of Medical Devices”. Under this section, a “cyber device” is defined as a device that:1

On September 27, 2023, FDA finalized its guidance for the medical device industry entitled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” This document…was designed to update the approach to device cybersecurity in light of the rapidly evolving landscape, increased understanding of emerging threats, and the need for capable deployment of mitigations throughout the total product lifecycle… On March 13, 2024, a draft guidance on “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act” was released. When finalized, this draft guidance will be added to the unchanged 2023 guidance as a new section (Section VII).

  1. Includes software validated, installed, or authorized by the sponsor as a device or in a device;
  2. Has the ability to connect to the internet; and
  3. Contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.

Submission for a device that meets the definition of a cyber device is required by law to provide information to ensure that cyber devices meet the cybersecurity requirements.

On September 27, 2023, FDA finalized its guidance for the medical device industry entitled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.”2 This document, which supersedes the agency’s 2014 guidance entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”3 was designed to update the approach to device cybersecurity in light of the rapidly evolving landscape, increased understanding of emerging threats, and the need for capable deployment of mitigations throughout the total product lifecycle (TPLC). The recommendations in this guidance are intended to help manufacturers meet their obligations under section 524B of the FD&C Act.

The 2023 guidance describes recommendations regarding the cybersecurity information to be submitted for the following device premarket submission types:

  • Premarket Notification (510(k));
  • De Novo requests;
  • Premarket Approval Applications (PMAs) and PMA supplements;
  • Product Development Protocols (PDPs);
  • Investigational Device Exemption (IDE)applications;
  • Humanitarian Device Exemption (HDE) filings;

In addition to these, the recommendations in this guidance are also applicable to devices for which a premarket submission is not required, such as 510(k)-exempt devices.

Compared to the 2014 guidance, FDA has included several new elements in the latest guidance document. These include, but are not limited to, the recommendation for a Secure Product Development Framework (SPDF) for cybersecurity risk management, expanding the scope of the guidance to IDE submissions, and new requirements for Software Bill of Materials (SBOM) documentation in premarket submissions for medical devices.

The guidance document highlights the importance of an iterative approach to device cybersecurity throughout the product lifecycle, with particular emphasis on secure design and cybersecurity risk mitigation and management.

The key areas of focus in the new guidelines are:

  • Software validation and risk management (which are essential to meeting Quality System (QS) requirements) are key elements of cybersecurity analyses and demonstrate whether a device has a reasonable assurance of safety and effectiveness. FDA requires manufacturers to implement development processes that account for and address software risks throughout the design and development process as part of design controls, which may include cybersecurity considerations. To satisfy QS requirements, FDA recommends the adoption of protocols such as the Secure Product Development Framework (SPDF) for risk management throughout the product lifecycle.
  • Difference between cybersecurity risk management and safety risk management is highlighted. Specifically, FDA has stated that manufacturers should include security risk management reports in premarket submissions to help demonstrate the safety and effectiveness of the device. The report should include documentation on system threat modeling, cybersecurity risk assessment, SBOM, component support information, vulnerability assessments, and unresolved anomaly assessment.
  • FDA identifies that transparency is essential to ensure the safe and effective use of medical devices as well as for managing cybersecurity risks in medical device systems and networks. Two routes to enhance transparency are through device labeling and establishing vulnerability management plans. FDA also recommends that manufacturers should consider the end users ability to take on a security-risk mitigation role when designing labeling material. Any risks transferred to the user should be detailed and may need to be included as a part of usability testing.
  • Medical device manufacturers are recommended to submit cybersecurity management plans in their premarket submissions. Such plans will be used by FDA to prospectively assess the post-market safety and effectiveness of the device.
  • FDA recommends that properly implemented cybersecurity controls ensure the safe and effective interoperability in end-to-end devices. Interoperable devices are identified as those that can exchange and use information electronically with another medical or non-medical product, system, or device. Furthermore, the agency emphasizes that cybersecurity controls should not be leveraged to prohibit users from accessing their device data.
  • Medical device manufacturers should document all software components, including any third-party software components, and address or mitigate risks associated with these components to comply with the QS regulation. As software is generally updated over time, such changes may lead to new risks that must be proactively considered during risk management. In its guidance, FDA indicates that device manufacturers should maintain custodial control of the device source code throughout the product lifecycle as part of configuration management. Though premarket submissions do not need to include the source code, manufacturers should plan ahead for updating or replacing third-party software as and when required.
  • Following FD&C Section 524B(b)(3), the 2023 guidance states that SBOMs are a required component of marketing applications for cyber devices. In addition, FDA recommends that they be included in the marketing applications of all other devices as well. The recommendations pertaining to SBOMs apply to both proprietary (i.e. manufacturer developed) and third-party software.

The recommendations contained in this guidance document are intended to supplement FDA’s guidance’s for:

  • Postmarket Cybersecurity Guidance4
  • Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software5
  • Content of Premarket Submissions for Device Software Functions6

On March 13, 2024, a draft guidance on “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act” was released.7 When finalized, this draft guidance will be added to the unchanged 2023 guidance as a new section (Section VII). The proposed update clarifies the cybersecurity information FDA considers necessary to support cybersecurity requirements of FD&C Act section 524B, including:

  1. Additional details to include in the post-market cybersecurity plan:
    – Procedures to carry out disclosures of the vulnerabilities and exploits identified by external entities or the manufacturer.
    – Timelines and associated justifications to develop and release required updates and patches.
    – Plans (e.g., threat modeling) for creating or updating documentation as new information becomes available; maintained through device lifecycle.
  2. Clarification that “provide a reasonable assurance of cybersecurity” refers to the total documentation provided for cybersecurity in a premarket submission, based on the level of cybersecurity risk of the device as described in Appendix 4 of the 2023 guidance.

The cybersecurity requirements in both guidance documents also apply to medical devices submitting a cyber device modification if the modification impacts cybersecurity. However, if the modification is unlikely to impact cybersecurity (e.g., material changes), FDA requires the following information to be included:

  1. Summary of any changes (from previous submission) to the plan and any updates or patches made to address vulnerabilities or exploits.
  2. Summary information supporting there is a reasonable assurance that the device and related systems are cybersecure and no uncontrolled vulnerabilities.
  3. A software bill of materials.

FDA interprets 524(b) to mean that a reasonable assurance of cybersecurity can be part of FDA’s determination of a device’s safety and effectiveness and is essential to protect the public health. Manufacturers should review 524(b) and this draft guidance in conjunction with the 2023 guidance while developing their products to ensure they meet the cybersecurity criteria, as this is a critical component of FDA’s determination in allowing devices on the market.

About Boston MedTech Advisors (BMTA)

Since 2004, BMTA’s multidisciplinary team has supported more than 400 medical technologies and life sciences companies around the world to achieve their business goals. BMTA assists its clients to commercialize new products and services and increase their market adoption by addressing their unique and inter-dependent regulatory, clinical evidence, reimbursement, and marketing requirements and strategies. BMTA offers result-oriented insights that recognize the multi-faceted aspects of today’s healthcare markets and the client’s unique business needs.

For more information, questions, or comments, contact us at info@bmtadvisors.com

Follow us on LinkedIn.

References:

  1. Federal Food, Drug, and Cosmetic Act. Section 524B(c). https://www.congress.gov/117/bills/hr2617/BILLS-117hr2617enr.pdf
  2. Guidance for Industry and Food and Drug Administration Staff “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” September 27, 2023. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-system-considerations-and-content-premarket-submissions
  3. Guidance for Industry and Food and Drug Administration Staff “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” October 2, 2014. https://www.fda.gov/media/86174/download 
  4. Guidance for Industry and Food and Drug Administration Staff “Postmarket Management of Cybersecurity in Medical Devices” December 28, 2016. https://www.fda.gov/media/95862/download
  5. Guidance for Industry “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software” January 14, 2005. https://www.fda.gov/media/72154/download
  6. Guidance for Industry and Food and Drug Administration Staff “Content of Premarket Submissions for Device Software Functions” June 14, 2023.  https://www.fda.gov/media/153781/download
  7. Draft Guidance for Industry and Food and Drug Administration Staff “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act” March 13, 2024. https://www.fda.gov/media/176944/download

Photo 154742479 © Pop Nukoonrat | Dreamstime.com

Verified by MonsterInsights