The Evolving Landscape of Medical Device Cybersecurity

In an era where medical devices are increasingly interconnected, cybersecurity has become paramount. The medical device industry,already heavily regulated,now faces heightened scrutiny regarding the security of its products. This article delves into the recent regulatory changes and what they mean for manufacturers.

From Mechanical to Cloud-Connected: A Paradigm Shift

The evolution of medical devices has been remarkable. What began with purely mechanical devices in 1976, when the FDA first began regulating them, has transformed into a landscape of refined, cloud-connected technologies. Consider the advancements in cardiac rhythm management. Previously, adjusting a pacemaker required invasive surgery. Today, healthcare providers can remotely monitor and adjust these devices, considerably reducing the need for frequent patient visits. This connectivity, while beneficial, introduces new cybersecurity vulnerabilities.

According to a recent report by the Healthcare Sector Coordinating Council (HSCC),the increasing reliance on interconnected devices has expanded the attack surface for malicious actors,making robust cybersecurity measures essential.

The Wake-Up Call: Cybersecurity Vulnerabilities and Recalls

The FDA’s regulatory response has sometimes lagged behind the rapid advancements in medical technology. A stark example of this occurred in 2017 when a major manufacturer of wireless pacemakers faced recalls due to critical cybersecurity vulnerabilities. These flaws allowed potential hackers to remotely access and manipulate the devices, possibly altering settings or depleting the battery, posing a direct threat to patient safety. This recall, affecting nearly 500,000 pacemakers, severely damaged the manufacturer’s reputation and profitability, underscoring the critical need for proactive cybersecurity measures.

The FD&C Act: A New Era of cybersecurity Requirements

Recognizing the growing threat, Congress amended the Federal Food, Drug, and Cosmetic (FD&C) Act, introducing Section 524B, which specifically addresses medical device cybersecurity for “cyber devices.” This provision, effective since March 29, 2023, mandates that any device utilizing software connected to the internet is subject to these new cybersecurity requirements.

Prior to this amendment, the FDA primarily relied on guidance documents to encourage cybersecurity risk mitigation. However, these recommendations lacked the force of law. The FD&C Act 524B changes this, granting the FDA the authority to require cybersecurity information prior to device approval.

Defining a “Cyber Device” Under Section 524B

Section 524B(c) provides a clear definition of a “cyber device”:

(1) It incorporates software validated, installed, or approved by the sponsor.

(2) It possesses the capability to connect to the internet.

(3) It contains technological characteristics that could be vulnerable to cybersecurity threats, whether validated, installed, or approved by the sponsor.

Section 524b (c) of the Federal Food, Drug, and Cosmetic Act

This definition encompasses a broad range of device functionalities, including monitoring functions, stimulation parameters, and communication with healthcare providers. It applies to both Software as a Medical Device (SaMD) and Software in a Medical Device (SiMD).

Key Requirements for manufacturers of Cyber Devices

Section 524B(b) outlines the specific information manufacturers must provide in premarket submissions for cyber devices:

(1) A complete plan for monitoring, identifying, and addressing post-market cybersecurity vulnerabilities and exploits within a reasonable timeframe.

(2) Established processes and procedures for ensuring device and related system cybersecurity,including timely updates and patches to address:

(A) known vulnerabilities that cannot be adequately mitigated through routine updates.

(B) Critical vulnerabilities that pose an immediate and unreasonable risk to patient safety.

(3) A detailed software bill of materials (SBOM), including commercial, open-source, and proprietary components.

Section 524b (b) of the Federal Food, Drug, and Cosmetic Act

The FDA retains the authority to issue further regulations to ensure the cybersecurity of devices and related systems.

Post-Market Cybersecurity: Continuous Vigilance

The FDA’s expanded regulatory authority includes evaluating manufacturers’ post-market monitoring plans to ensure the ongoing safety and effectiveness of approved devices. Continuous monitoring, identification, and mitigation of cybersecurity vulnerabilities are now integral to post-market management.

Frequently Asked Questions (FAQ)

What resources can be used to support manufacturers?

The FDA provides various resources, including guidance documents, workshops, and collaborative programs, to assist manufacturers in meeting cybersecurity requirements. these resources are regularly updated to reflect the evolving threat landscape.

Does this law only apply to future medical devices, rather than retrospectively?

The cybersecurity requirements do not apply to applications or submissions submitted to the FDA before March 29, 2023. Though, if a previously approved cyber device undergoes modifications requiring agency review, the new law applies to the updated submission.

Can I submit a special 510(k) to add cyber function to a device already approved?

The FDA’s special 510(k) program guidelines provide examples of changes, such as adding wireless control to a BiPAP device. Though, the guidelines emphasize the need for well-established methods for assessing the added functionality, particularly regarding wireless service quality, coexistence, and cybersecurity. If such methods are lacking, a special 510(k) may not be appropriate.

What information should you provide to the IDE request for cyber security?

The FDA recommends including a subset of documents in the IDE application, such as cybersecurity risks as part of the consent of information provision, viewing of global, multi-patients and updates/patch possibilities, viewing security use cases for functions with safety risks (e.g. implant programming), and software BOM (material list) Possibility/Process.