Understanding The FDA's New Medical Device Cybersecurity Guidelines

By Will Garvin and Michael McLaughlin, Buchanan Ingersoll & Rooney

The United States FDA cybersecurity requirements for medical “cyber devices” went into effect on Oct. 1, 2023, and it is incumbent on all manufacturers of medical devices to take actions to comply with these requirements. The FDA has made it clear that under the new laws in place, the agency cannot even accept submissions from certain medical device manufacturers if their applications don’t contain the required cybersecurity requirements.

This article will provide some key insights on what to do and what to avoid regarding the new cybersecurity requirements.

Cybersecurity For Medical Devices Is A Top Priority For The Federal Government

Historically, the FDA instituted certain cybersecurity requirements for medical devices in a guidance document under 21 CFR Part 820. But with the passage of the Consolidated Appropriations Act of 2023, Congress has now made it a legal requirement that all medical devices that qualify as “cyber devices” institute certain cybersecurity requirements before they can enter the market.

Congress passed this law in response to the increased concern regarding cybersecurity vulnerabilities of medical devices. According to a report by the FBI, more than half of connected medical devices in hospitals have known critical vulnerabilities, and 40% of devices at the end-of-life stage had few or no security patches. A study by the Ponemon Institute revealed that almost 89% of healthcare organizations were victims of at least one cyberattack between 2021 and 2022. And in 2023, the Health Information Sharing and Analysis Center (Health-ISAC) found nearly 1,000 security vulnerabilities across 966 tested medical devices — a 59% year-over-year increase from 2022.

Given the large demand for healthcare data and the large vulnerabilities with medical devices software, the federal government has decided that instituting strong cybersecurity requirements is a top priority.

4 Steps To Navigate FDA’s New Cybersecurity Requirements For Medical Devices

1. Determine If Your Medical Device Is A “Cyber Device”

Under 524B of the Federal Food, Drug, and Cosmetic Act (FFDCA), a “cyber device” is generally defined as a medical device that: (1) has the ability to connect to the internet; (2) includes software by the sponsor of the device; and (3) that software is vulnerable to a cybersecurity threat. Because the definition of a cyber device is so broad, practically any medical device that can connect to a network would be considered a cyber device that falls under the ambit of the FDA’s new cybersecurity requirements.

It is important to note that the controls are required even if the product is not intended to be connected to the internet but merely has the ability to connect to the internet. Therefore, even selling a medical device that is intended to be on its own network and air-gapped from the internet would still qualify as a cyber device if a user could connect the device to the internet.

2. Ensure That Any Submission After Oct. 1, 2023, Includes Cybersecurity Requirements For A Cyber Device

On Oct. 1, 2023, FDA began issuing refuse to accept (RTA) letters for any submissions for a cyber device that did not meet the new cybersecurity requirements. An RTA means that FDA will not even provide a qualitative review of a submission for a medical device. Instead, the FDA will merely note that the applicant did not include certain required information and deny the application. An RTA can be especially disheartening since it means that the applicant has to start over from the beginning, whereas other substantive responses from FDA ensure that the applicant and FDA are working through the review issues toward final approval.

3. Include The Appropriate Cybersecurity Requirements For A Cyber Device

In order to comply with the new legal requirements, an applicant for a cyber device must meet the following cybersecurity requirements.

1. They must “monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures”;
2. They must “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available post-market updates and patches to the device and related systems” to address “on a reasonably justified regular cycle, known unacceptable vulnerabilities”; and “as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks”;
3. They must “provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components”; and
4. They must “comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.” See FFDCA § 524B.

Under the first two requirements, manufacturers must have plans to continually monitor cybersecurity vulnerabilities and take post-market actions to update the device’s cybersecurity.

4. Include An Appropriate Software Bill Of Materials

One aspect of meeting the new cybersecurity requirements is for an applicant to ensure they have submitted an appropriate software bill of materials (SBOM) to FDA. An SBOM is essentially an ingredient list detailing all software components that comprise the overall device software program. SBOMs are designed to give regulators and consumers the ability to understand the risk of vulnerabilities in the software components of devices.

FDA has stated that when providing SBOM information applicants should look to its guidance documents regarding Off-The-Shelf (OTS) Software Use in Medical Devices and Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software. Additionally, FDA stated in a recent guidance document that “manufacturers should provide machine readable SBOMs consistent with the minimum elements … identified in the October 2021 National Telecommunications and Information Administration (NTIA) Multistakeholder Process on Software Component Transparency document Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM).”

FDA reiterated in its recent guidance that the SBOM submissions should be in a “machine readable” format.

Lastly, FDA stated that sponsors could include the “software level of support provided through monitoring and maintenance from the software component manufacturer (e.g., the software is actively maintained, no longer maintained, abandoned)”; and the “software component’s end-of-support date.”

Conclusion

The new cybersecurity requirements implemented by the FDA for medical cyber devices are a top priority for the federal government. Manufacturers of medical devices need to understand if their devices fall under the category of cyber devices and ensure compliance with the cybersecurity requirements. Failure to meet these requirements can result in FDA refusing to accept submissions for the device. To comply, manufacturers must monitor and address cybersecurity vulnerabilities, provide regular updates and patches, submit a software bill of materials, and comply with any additional requirements set by the FDA. It is also crucial for manufacturers to include a machine-readable software bill of materials that details all software components of the device. Following these guidelines will help ensure compliance with the new cybersecurity requirements and protect against potential cyber threats.

About The Authors:

William A. Garvin is a shareholder in the FDA Practice Group at Buchanan Ingersoll & Rooney. He focuses his practice on issues related to the approval, regulation, promotion, sale, and reimbursement of drugs, medical devices, biologics, excipients, dietary supplements, foods, and cannabis-related products. Garvin has previously been a review board member for the Journal for Mobile Medical Technology, a member of Law360 Life Sciences Editorial Advisory Board, and a member of the Covid-19 Healthcare Coalition. Garvin was consecutively named to the Washington, D.C. Super Lawyers Rising Stars list from 2013 to 2018, and he also has been recognized by Chambers USA from 2019 to present. 

Michael G. McLaughlin is co-leader of Buchanan Ingersoll & Rooney’s Cybersecurity and Data Privacy Practice group and a principal in the firm’s Government Relations section. He advises clients in matters involving cybersecurity, data privacy, public policy, and government contracts. He has expertise assisting clients in cybersecurity incident response and remediation, regulatory compliance, and establishing effective data privacy programs. McLaughlin earned his JD and his Certificate in Cybersecurity and Crisis Management Law from the University of Maryland Francis King Carey School of Law.