Recently, the Food and Drug Administration (FDA) issued updated regulations regarding medical devices, specifically related to the cybersecurity requirements of those devices. These new requirements are found in Section 524B, Ensuring Cybersecurity of Devices, of the Food, Drug, and Cosmetic Act (FD&C Act).
The new regulations officially went into effect on October 1, 2023, so chief information security officers (CISOs) and other security leaders working for medical device companies need to prioritize compliance to avoid having their new devices refused by the FDA, under the organization’s Refuse to Accept (RTA) policy.
Who Will be Impacted?
The new regulations will apply to anyone who “submits a premarket application or submission […] for a device that meets the definition of a cyber device” — with “cyber device” defined as follows:
“A device that (1) includes software validated, installed, or authorized by the sponsor as a device or in a device, (2) has the ability to connect to the internet, and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats.”
The updated policy doesn’t apply retroactively, so applications submitted to the FDA before March 29, 2023, and devices that have already been approved for use, are not affected. However, changes and updates to the device that require a new round of premarket review will subject the device to the new regulations.
What’s the Purpose of the New Regulation?
The primary purpose of the new regulation is to recognize the critical role that cybersecurity plays in ensuring the safe and effective use of medical devices. This is an acknowledgement of the convergence of security and quality, with the FDA pushing organizations to look at security design and operational support as an aspect of delivering a quality product.
As an FDA spokesperson said in a recent statement:
“Cybersecurity incidents can render medical devices and hospital networks inoperable with the potential to disrupt the delivery of patient care across health care facilities in the U.S. and globally. […] [T]hese new authorities will allow FDA to work with manufacturers and other device stakeholders to ensure that cyber devices are designed securely and reduce the likelihood of harm to patients.”
For security professionals, this represents a validation that security is not ancillary, but an essential part of the process of building and operating medical devices. This is also an opportunity for medical device manufacturers to work in close alignment with healthcare organizations that use and support these devices in patient care, to ensure that the larger security context is understood and coordinated. Devices are used within a variety of settings and these have an impact on the secure operation of these systems over time.
What Does the New Regulation Require?
The new regulation requires medical device manufacturers to submit information demonstrating that the device meets certain cybersecurity standards. The new required information includes:
A documented plan to “monitor, identify, and address” cybersecurity vulnerabilities and potential exploits. This plan should include considerations for disclosing those vulnerabilities.
“Design, develop, and maintain” processes to assure that the device and related systems are secure, and to provide appropriate updates and patches to the device and system.
“Provide a software bill of materials” that details the software components involved with the device, including commercial and open source elements.
Additional guidance for how to achieve the requirements of each of these steps is available on the FDA’s FAQ page.
Beyond the straightforward submission requirements, what the new regulation is asking is that security be considered right from the beginning of designing a medical device through to the decommissioning of the device at its end of life.
What Should Impacted Companies Do?
Security professionals at impacted organizations will need to closely partner with those in engineering to collaborate on design with security in mind. It will require that these security leaders deeply understand the context within which these devices will be used and bring that threat understanding back into the design process to ensure strong control selection and sound risk management.
For many device companies that have no experience in this sort of explicit security work, these new requirements will represent a substantial lift. Company leaders will need to make sure their organizations acquire the new skills and tools they will need to comply with the new guidelines. The answer for many device companies will be to seek a partnership with an experienced security provider such as Google.
Cyber-risk is an element of overall business risk, which means that medical device companies should understand the impact that good security hygiene will have on their bottom lines. Under these new guidelines, medical device companies will need to build securely, or their devices will simply not reach the market. 524B represents a recognition of the vital role of security in building safe and effective medical products.
Read more Partner Perspectives from Google Cloud