Cybersecurity has become a critical element of ensuring the overall safety of medical devices, making the industry one of the most heavily regulated in the world.
Why?
The evolution of medical devices began in 1976 when the FDA first started regulating them. Since then, the advancements in science have transformed the industry from mechanical devices to modern cloud-connected ones. For example, before 2009, adjusting a pacemaker required a doctor to perform surgery to access the device within their patient. Today, modern wireless-enabled pacemakers allow healthcare providers to monitor a patient’s heart rhythm remotely and adjust the pacemaker settings as needed, significantly reducing the need for frequent in-person visits.
The FDA was slow to adapt regulations to keep up with the ever-changing MedTech landscape. For instance, in 2017, wireless pacemakers faced a recall due to significant cybersecurity vulnerabilities. These vulnerabilities allowed potential hackers to remotely access and manipulate the devices, potentially causing harm to patients by altering pacing settings or draining the battery. This recall affected nearly half a million pacemakers, profoundly damaging the manufacturer’s reputation and revenue, and most importantly, posed a serious threat to human life.
FDA Premarket Cybersecurity
It’s the Law Now–Cybersecurity Information in Premarket Submissions
Does your firm manufacture a “cyber device”? A recent amendment to the Federal Food, Drug, and Cosmetic Act (FD&C Act) added a new section about medical device cybersecurity for “cyber devices.” If a device uses software that connects to the internet, it is most likely considered a cyber device and subject to the new 524B section of the FD& C Act. This provision has been effective since March 29, 2023.
Over the years, the FDA has been expanding efforts to encourage mitigation of cybersecurity threats to medical device functionality, but the FDA’s recommendations were not codified into law prior to the enactment of section 524B of the FD&C Act. The primary tool for the FDA to request cybersecurity information in premarket submissions has been guidance documents.
Congress has given the FDA the authority to require device manufacturers to provide cybersecurity information in their premarket submission for a “cyber device.” Section 524B(a) states:
“A person who submits an application or submission under section 510(k), 513, 515(c), 515(f), or 520(m)[i.e., 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE)] for a device that meets the definition of a cyber device under this section shall include such information as [FDA] may require to ensure that such cyber device meets the cybersecurity requirements…”
Definition of a Cyber Device
Section 524B(c) defines a “cyber device” as a device that-
“(1) includes software validated, installed, or authorized by the sponsor as a device or in a device;
(2) has the ability to connect to the internet; and
(3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.”
The technological characteristics in this context may cover a wide range of device functions–for example, monitoring features, stimulation parameters, and communications with healthcare providers. It applies whether the software is a medical device (SaMD) or the software is embedded in a traditional hardware device (SiMD).
The New Requirements
Section 524B(b) requires manufacturers to provide the following information in premarket submissions for cyber devices:
“(1) submit to the Secretary (FDA) a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
(2) design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address-
(A) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and
(B) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks; [and]
(3) provide to the Secretary (FDA) a software bill of materials, including commercial, open-source, and off-the-shelf software components.”
The FDA may also issue regulations with other requirements to demonstrate reasonable assurance that the device and related systems are cybersecure.
FDA Postmarket Cybersecurity: Cybersecurity Monitoring Plan
The FDA’s expanded regulatory authority includes assessing medical device manufacturers’ plans for postmarket monitoring, to ensure the ongoing safety and efficacy of the device it clears/approves. The now-enforceable regulations emphasize the importance of continually monitoring for, identifying, and remediating cybersecurity vulnerabilities as part of postmarket device management.
Frequently Asked Questions (FAQ)
What are the resources available to support manufacturers?
The 2023 guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions and the 2016 guidance, Postmarket Management of Cybersecurity in Medical Devices describe recommendations for managing cybersecurity after the device has been introduced into the market.
Does this law only apply to future medical devices, rather than retrospectively?
The cybersecurity requirements do not apply to an application or submission submitted to the FDA before March 29, 2023. If a cyber device was previously authorized, and the manufacturer is making a change to the device that requires premarket review by the agency, the law would apply for the new premarket submission.
Can we submit a Special 510(k) for the addition of a cyber feature to a currently non-cyber device that was previously authorized for commercial distribution through 510(k) or a De Novo classification request?
The Special 510(k) Program Guidance provides an example of a change involving the addition of wireless control capabilities to a bilevel positive airway pressure (BiPAP) device intended to treat patients with obstructive sleep apnea. The Guidance notes that “verification and validation should be conducted to ensure that the BiPAP has acceptable wireless quality of service, coexistence, cybersecurity, and maintains EMC in its intended environment of use.” The Guidance concludes that such a change cannot be reviewed in a Special 510(k), because “there are not well-established methods in an FDA-recognized voluntary consensus standard or in the manufacturer’s previous 510(k) that address the methods to evaluate the addition of wireless control for this BiPAP. The test methods vary depending on the wireless quality of service necessary for the device’s intended use and environment of use.”
What information if any needs to be provided in an investigational device exemption (IDE) application with respect to cybersecurity?
The FDA recommends only a subset of the documentation to be included in IDE applications, including (1) cybersecurity risks as part of Informed Consent Form, (2) global, multi-patient and updateability/patchability views, (3) security use case views for functionality with safety risks (e.g., implant programming), (4) software bill of materials, and (5) general labeling (connectivity and associated general cybersecurity risks, updateability/process.
