Explaining New FDA Cybersecurity Requirements

Why Is Cybersecurity Important in Healthcare?

Because healthcare organizations store and manage sensitive patient data, they’re vulnerable to cyber attacks. That’s why it’s crucial for medical centers and hospitals to consider their cybersecurity measures to protect patient medical records, billing and payment information, and other personal data. If patient information isn’t secured properly, it can be accessed by hackers who can use it for malicious purposes.

Medical centers use cybersecurity measures to ensure that sensitive records are kept secure and protected from unauthorized access. But as more medical devices become connected to the internet, healthcare systems, and other digital devices, they become more of a cybersecurity risk. That’s why medical device manufacturers in the U.S. are facing a new reality—meeting FDA cybersecurity requirements for medical devices.

Medical Device Manufacturers Consider Healthcare Cybersecurity

The Consolidated Appropriations Act, 2023 was signed into law on December 29, 2022 and contains a section that addresses the need for cybersecurity measures for medical devices. The section (524B of the FD&C Act) requires medical device manufacturers to implement cyber security measures to protect patient data, such as encryption and authentication protocols. However, the new FDA cybersecurity requirements for medical devices do not apply to premarket submissions submitted before March 29, 2023.

Explaining the New FDA Cybersecurity Requirements

The FDA defines a cyber device as a medical device that:

Includes software validated, installed, or authorized by the sponsor as a device or in a device;
Has the ability to connect to the internet; and
Contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.

The Requirements

Under the new FDA cybersecurity requirements, the sponsor of a medical device application or submission shall:

Submit a plan to the secretary to monitor, identify, and address appropriate postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures, in a reasonable time;
Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address:
a. Unacceptable vulnerabilities on a reasonably justified regular cycle and;
b. Critical vulnerabilities that could cause uncontrolled risks as soon as possible out of cycle;
Provide the secretary with a software bill of materials, including commercial, open-source, and off-the-shelf software components; and
Comply with other requirements the secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.

Under the new guidance, the FDA will not issue “refuse to accept” (RTA) decisions for premarket submissions submitted for cyber devices before October 1, 2023, based solely on information required by section 524B of the FD&C Act. Instead, the FDA will work collaboratively with sponsors of these premarket submissions as part of the interactive and/or deficiency review process. However, beginning October 1, 2023, the FDA expects that sponsors of cyber devices will have had sufficient time to prepare premarket submissions that contain information required by section 524B of the FD&C Act, and may issue RTAs for premarket submissions that don’t contain this information. If you’re currently preparing a submission, make sure to review the new policy and guidance documentation provided by the FDA to avoid additional information requests and delays in the approval process.

If you’re developing a medical device that addresses a current unmet need in the healthcare industry, the breakthrough devices program is significantly beneficial.

Learn More

Security Assessment of Unresolved Anomalies

The FDA’s Premarket Software Guidance provides recommendations on how to list software anomalies, such as bugs or defects, in the premarket submission. Medical device manufacturers are required to assess each anomaly and its impact on the safety and effectiveness of their device. The FDA recommends providing the criteria and rationales used to address any resulting anomalies that have security impacts in the security risk assessment documentation to ensure that the device is secure and can operate safely and effectively. A thorough risk assessment allows the FDA to identify any potential threats to patient safety and any areas of non-compliance with applicable laws and regulations.

Cybersecurity Testing

FDA recommends that the following types of testing be provided in medical device approval submissions:

Manufacturers should provide evidence that each design input requirement was implemented successfully.
Manufacturers should provide evidence of their boundary analysis and rationale for their boundary assumptions.
Manufacturers should provide details and evidence of testing that demonstrates effective risk control measures according to the threat models provided in the system, use case, and call-flow views.
Manufacturers should ensure the adequacy of each cybersecurity risk control in enforcing the specified security policy, performance for maximum traffic conditions, stability and reliability, as appropriate.

Under the new FDA FDA cybersecurity requirements, manufacturers are also required to provide details and evidence of the following vulnerability testing:

Abuse case, malformed, and unexpected inputs
Robustness
Fuzz testing
Attack surface analysis
Vulnerability chaining
Closed box testing of known vulnerability scanning
Software composition analysis of binary executable files, and
Static and dynamic code analysis, including testing for credentials that are “hardcoded,” default, easily guessed, and easily compromised.

Penetration test reports are also required for submission and should include the following elements:

Independence and technical expertise of testers
Scope of testing
Duration of testing
Testing methods employed, and
Test results, findings, and observations.

Helping You Meet FDA Cybersecurity Requirements

At Remington Medical, our experienced team of contract manufacturers are here to help you navigate the complex FDA cybersecurity requirements and make sure your device is ready for market quickly and effectively. Contact us today to learn more about our contract manufacturing services and how we can help you navigate the approval process.