FDA: Get Cybersecurity in Check or Don’t Bring a Medical Device to Market

This week, the U.S. Food and Drug administration (FDA) issued guidance that medical device manufacturers are required to meet cybersecurity standards or face the risk that their product will not be approved for market. This measure will immediately impact organizations, as of March 29, 2023, applying to bring new products to market, but the FDA states they will provide support for the next 90 days.

“FDA generally intends not to issue ‘refuse to accept’ (RTA) decisions for premarket submissions submitted for cyber devices based solely on information required by section 524B of the FD&C Act before October 1, 2023, but instead, work collaboratively with sponsors of such premarket submissions as part of the interactive and/or deficiency review process. Beginning October 1, 2023, FDA expects that sponsors of such cyber devices will have had sufficient time to prepare premarket submissions that contain information required by section 524B of the FD&C Act, and FDA may RTA premarket submissions that do not.”

Though the new rules immediately went into effect, the guidance was not unexpected. On December 29, 2022, in the Consolidated Appropriations Act Omnibus, the document laid the groundwork by adding section 524B, Ensuring Cybersecurity of Devices.

What to Expect

The act requires medical device manufacturers to:

• Plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits.

• Design, develop, and maintain processes and procedures to provide assurance that the device and related systems are cybersecure (including postmarket updates and patches).

• Provide a software bill of materials.

Scroll to the bottom of the article for the specific language included in section 524B.

These new regulations help combat the increased threat landscape facing health organizations globally and reduce the opportunity for human errors in cybersecurity.

The updated guidance aligns with the newly released National Cybersecurity Strategy that puts the onus of meeting specific cybersecurity standards on software and service providers.

“Shape Market Forces to Drive Security and Resilience—We will place responsibility on those within our digital ecosystem that are best positioned to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable in order to make our digital ecosystem more trustworthy…”

In governance, we often see a split between consequences or encouragement. This is typically referred to as the carrot and the stick metaphor. In this particular instance, the FDA is offering a twig—or a subtle consequence that can be remediated—to ensure consumers and healthcare systems reduce the risk of being negatively impacted by insecure devices.

Interestingly, the FDA is releasing these measures immediately and without prior public comment. However, they indicate that they are open to shifting said document based on input received going forward.

“FDA has determined that it is not feasible to obtain public comment prior to the 90-day statutory timeframe for the effective date of section 524B of the FD&C Act. Although this policy is being implemented immediately without prior comment, FDA will consider all comments received and revise the guidance document as appropriate.”

Mandatory Cybersecurity Standards Replace Voluntary MDS2 Disclosure

Prior to the updated guidance, medical device manufacturers had the voluntary option of completing a Manufacturer Disclosure Statement for Medical Device Security (MDS2) sheet. Similar to requests for things like SOC 2 reports or security questionnaires, this sheet was often compelled for completion by stakeholders purchasing said devices.

MDS2 was designed to provide critical information about security features and capabilities of a medical device and assist healthcare organizations evaluate and manage risks associated with using a device. Unlike other standards, an MDS2 form is a self-completed disclosure that allows a manufacturer to demonstrate their commitment to security and help their customers make informed decisions.

MDS2 was developed by the Medical Device Innovation, Safety, and Security Consortium (MDISS) to help medical device manufacturers communicate important security-related information to healthcare providers, purchasers, and end-users. 

Although the MDS2 was not required by law, it was recommended by various regulatory bodies and industry organizations such as the FDA, the International Electrotechnical Commission (IEC), and the Association for the Advancement of Medical Instrumentation (AAMI).

Section 524B: Ensuring Cybersecurity of Devices

Below is direct information from H.R.2617 - Consolidated Appropriations Act, 2023:

SEC. 3305. ENSURING CYBERSECURITY OF MEDICAL DEVICES. 

    (a) In General.—Subchapter A of chapter V of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 351 et seq.) is amended by adding at the end the following:

``SEC. 524B. ENSURING CYBERSECURITY OF DEVICES.

    ``(a) In General.—A person who submits an application or submission under section 510(k), 513, 515(c), 515(f), or 520(m) for a device that meets the definition of a cyber device under this section shall include such information as the Secretary may require to ensure that such cyber device meets the cybersecurity requirements under subsection (b).

    ``(b) Cybersecurity Requirements.—The sponsor of an application or submission described in subsection (a) shall—

``(1) submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;

        ``(2) design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address—

            ``(A) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and

            ``(B) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;

        ``(3) provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components; and

        ``(4) comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.

     ``(c) Definition.—In this section, the term `cyber device' means a device that—

        ``(1) includes software validated, installed, or authorized by the sponsor as a device or in a device;

        ``(2) has the ability to connect to the internet; and

        ``(3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.