FDA's Grace Period For Medical Device Cybersecurity Is Over. Are You Ready?

By John Giantsidis, president, CyberActa, Inc.

It is the nature of medical technology to evolve, change the current practices, or even disrupt and outpace laws and regulations. Such dramatic evolution has rendered our complex healthcare ecosystem susceptible to cybersecurity challenges as medical devices and their data have been a major target of cybercrime. The FDA had been toiling with cybersecurity guidance documents for years, but on Dec. 29, 2022, it finally gained legal enforcement means through the Food and Drug Omnibus Reform Act of 2022 (FDORA). One of the FDORA requirements is that medical device manufacturers and developers of “cyber devices” design and implement plans to “monitor, identify and address” cybersecurity vulnerabilities of marketed devices and submit those plans to FDA as part of every new product application for a cyber device. The amended law defines “cyber device” as a device that “(1) includes software validated, installed, or authorized by the sponsor as a device or in a device; (2) has the ability to connect to the internet; and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.”

The FDA established a grace period for all medical device manufacturers to ensure that you are incorporating cybersecurity during the design and validation of cyber devices. The end date of the grace period, and the seminal date in medical device cybersecurity enforcement, is Oct. 1, 2023. Further regulatory enforcement is on the horizon. But what does this mean for medical device manufacturers? While it is impossible to predict precisely how FDA will enforce cybersecurity requirements in the future, leaders in the medical device, digital health, and precision medicine sectors will benefit from understanding the plenary actions to be taken and the steps their organizations can take to stay ahead of the curve.

Today, most medical device manufacturers and developers rely on both custom-designed and off-the-shelf hardware and software to protect and secure their devices. This complex mix of digital computer platforms and cyber devices represents an ever-increasing attack surface, where the cyber devices themselves and their associated vulnerabilities are constantly expanding, contracting, and evolving. Tens of thousands of vulnerabilities in software and hardware are already known to exist; new vulnerabilities continue to be discovered — and exploited — by attackers every day. Without careful and diligent attention, every cyber device is at serious risk of cyberattack and a data breach. Thus, every medical device manufacturer needs to identify and address these vulnerabilities through a rigorous, careful, and comprehensive program based on risk to strengthen your security posture.

Use Risk-based Vulnerability Management, Not Just Patch Management

Medical device manufacturers cannot simply rely on the traditional patch management system, wherein patches are provided either by the in-house team or by vendors and third-party providers. Such an approach relies on reactive testing and mostly ad-hoc vulnerability scanning and it is not inclusive of dynamic cyber device risk management. What is needed therefore is a comprehensive, end-to-end way of approaching vulnerabilities that encompasses constant monitoring of both old and new common vulnerabilities and exposures (CVEs), prioritizing critical vulnerabilities, and a broader approach to and coverage of vulnerability management. Risk-based vulnerability management (RBVM) prioritizes remediating vulnerabilities based on the impact they will have on your cyber device, as well as the likelihood that exploitation will take place. Furthermore, your RBVM process could be the basis of your cyber device premarket submission to the FDA regarding how you will “monitor, identify and address” cybersecurity vulnerabilities of your marketed devices.

Risk-based vulnerability management is fundamental to designing a program that is both efficient and effective today and ready for your future cyber device needs, and the following elements are to be considered and, ideally, incorporated:

• Continuous and complete discovery: Achieving continuous discovery and complete visibility into your cyber device environment is vital for preventing blind spots. To make this happen, you need a portfolio of data collection technologies purpose-fit for each asset and scenario.
• Assessment: Assessing a cyber device for vulnerabilities and misconfigurations is no longer about just running a vulnerability scan. It’s about using a range of data collection technologies to identify diverse security issues.
• Prioritization: Answer the question: What’s the actual risk of my cyber device vulnerabilities, patient risk, user risk, based on historical trends, current threat activity and the value of my cyber device, both from a regulatory enforcement and contractual expectation? The game changer would be to understand and predict the vulnerabilities set to have the highest likelihood of near-term exploitation.
• Formal risk analysis: Identify any relevant threats to the cyber device and estimate the possible risks resulting from these threats. The goal is to reduce the level of risk to an acceptable level by implementing the appropriate safeguards, to make the residual risks apparent and in this manner to systematically control the overall (total) risk.

Controls To Implement Now For Improved Compliance

Please note that the practices I described above are only intended to provide an introduction to an orderly security process within a medical device manufacturer to support FDA premarket submission approval. Based on global regulatory expectations, the goal of medical device manufacturers — for cyber devices in design or in the market – should be to establish a functioning information security management system, ideally as part of an existing quality management system, that provides an overview of the systems, defines responsibilities, and is aware of existing risks. It is useful to implement controls as early as possible to allow further planning to be as comprehensive and cost-efficient as possible by:

• Setting up a security organization: This comprehensive task serves to define roles relevant for security and the associated responsibilities for the security of cyber device components.
• Creation and maintenance of documentation: Documentation and information concerning the security of cyber device components, such as risk and vulnerability analysis, network plans, network management, configuration, or security program and organization, should be created, maintained, and sufficiently protected against unauthorized access. Standard procedures for service providers and cyber device suppliers should be included to avoid incompatibilities and inconsistencies of software in specific versions and configurations.
• Risk management: One of the most important tasks is risk management. In this context, all functional as well as security specific resources of a cyber device should be considered.

Conclusion

Medical devices and software as a medical device (SaMD) that could be vulnerable to cybersecurity threats are now required to include in their marketing submissions information relating to device security, identification of cybersecurity vulnerabilities, and a software bill of materials. The six-month grace period offered by FDA to developers of cyber devices will come to an end on Oct. 1, 2023. FDORA compliance entails cybersecurity planning during the life cycle of your cyber devices; failure to comply with such requirements is a prohibited act under the Federal Food, Drug, and Cosmetic Act that could create the potential for future enforcement action.

About The Author:

John Giantsidis is the president of CyberActa, Inc., a Boston-based boutique consultancy empowering medical device, digital health, and pharmaceutical companies in their data-driven digital, regulatory, cyber, and privacy endeavors. He is the vice chair of the Florida Bar’s Cybersecurity and Privacy Law Committee and a Cyber Aux with the U.S. Marine Corps. He holds a Bachelor of Science degree from Clark University, a Juris Doctor from the University of New Hampshire, and a Master of Engineering in Cybersecurity Policy and Compliance from George Washington University. He can be reached at john.giantsidis@cyberacta.com.