New Security Requirements for Medical Cyber Devices. Is Your Business Ready?  

The way in which medical device manufacturers prepare premarket submissions for cyber devices is undergoing a significant change. This not only impacts premarket submissions but will affect how cybersecurity is incorporated into the entire lifecycle of a medical device.  
medical device cybersecurity news

On March 29th, 2023, a new section within the Consolidated Appropriations Act (Omnibus) came into law, which means that all medical cyber devices must now meet certain security standards.  

If you are a company building a medical “cyber device”, you are now required to take the following actions when preparing premarket submissions:  

                      1. Submit a plan to monitor, identify, and address, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures; 
                      2. Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address— 
                                                • on a reasonably justified regular cycle, known unacceptable vulnerabilities; and
                                                • as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks; 
                      3. Provide a software bill of materials (SBOM); 
                      4. Ensure compliance with other requirements that the FDA may require through regulation to demonstrate reasonable assurance that the device and related systems are cyber secure.

What is a Cyber Device? 

This new set of security requirements affect cyber devices, which are medical devices that connect to the internet, or more accurately: 

“Section 524B(c) of the FD&C Act defines “cyber device” as a device that (1) includes software validated, installed, or authorized by the sponsor as a device or in a device, (2) has the ability to connect to the internet, and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats. If manufacturers are unsure as to whether their device is a cyber device, they may contact the FDA.” 

6 Months to Adapt Before FDA ‘Refuse-to-Accept’ 

Alongside these new security requirements is FDA’s new RTA (refuse-to-accept) Policy. The RTA Policy was signed into law at the end of 2022 as part of the 2023 Omnibus Spending Bill and comes into effect on October 1st, 2023.  

The dates here are quite significant.  

As of March 29th, there is a new set of requirements for all medical cyber devices. However, because the RTA Policy doesn’t come into effect until October 1st, there is a 6-month grace period where FDA will work collaboratively with applicants to remedy defects in their cybersecurity documentation.  

From October 1st onwards, FDA will reject or ‘refuse to accept’ submissions that don’t include the security measures mentioned above. There will be no collaboration or leeway. If your submission doesn’t detail the cybersecurity measures listed above, FDA will reject it on the spot.  

That is why it’s so important that medical device manufacturers act quickly and use the time they have now to adapt to the changes. Companies should start today and ensure that they are actively considering cybersecurity during the design and validation of their products.  

Important dates to remember: 

                      • 12th May 2021: Joe Biden issues ‘Executive Order on Improving the Nation’s Cybersecurity Infrastructure’ which, amongst other things, calls for change to the Consolidated Appropriations Act (Omnibus Spending Bill).  
                      • 29th December 2022: As part of the Omnibus, a section is added to the FD&C Act, which requires medical device manufacturers to include certain security requirements in premarket submissions for medical cyber devices. 
                      • March 29th, 2023: The new set of security requirements comes into effect for all cyber devices.  
                      • March 29th, 2023 – October 1st, 2023: A 6-month grace period where FDA intends to work with applicants to remedy defects in their cybersecurity documentation. 
                      • October 1st, 2023: Refuse to Accept Policy comes into force and submissions are immediately rejected if they do not meet certain security requirements.    

A Significant Cybersecurity Shift  

New security requirements for medical cyber devices are significant as most medical device manufacturers already have connected devices on the market. One could go as far as to say that connectivity has become ubiquitous across devices in recent years.  

However, it is also true that medical device manufacturers have struggled to dedicate adequate resources to securing these devices. This has led to a situation where medical devices are becoming increasingly vulnerable and cyberattacks are ever more prevalent. For the healthcare industry, enforcing minimum security standards on all connected devices is a much-needed step in the right direction.   

‘Do Not Pass Go’ 

With this latest development, FDA is making it clear that medical device security engineering programs are vital, said Kevin Fu, director of the Archimedes Center for Health Care and Medical Device Cybersecurity at Northeastern University, and a former FDA adviser. Manufacturers “should expect ‘
do not pass go‘ on premarket clearance or approval,” unless they treat cybersecurity threats seriously, he said (source). Background and History of RTA Policy For Cyber Devices 

The new set of security requirements is a byproduct of Joe Biden’s 2021 Cybersecurity Executive Order. You can learn more here. The Executive Order outlined the need to modernize the country’s cybersecurity defenses and strengthen the country’s cybersecurity infrastructure.  

Joe Biden’s Executive Order led to several significant guidance documents being published and a host of positive moves regarding medical cybersecurity. This included the Omnibus Spending Bill (aka the Consolidated Appropriations Act) which was signed off in December 2022. Within this bill the FDA received a total of $3.5 billion in discretionary funding, an increase of $226 million above the 2022 fiscal year enacted level. It was stated that this funding would go towards addressing medical device supply chain issues and cybersecurity of medical devices amongst a handful of other named objectives.  

Section 3305 of the Omnibus Spending Bill (‘Ensuring Cybersecurity of Medical Devices’) amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices. This is where increased security requirements and the RTA policy come into play. 

“Under section 524B(a) of the FD&C Act, a person who submits a premarket application or submission – including 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE) — for a device that meets the definition of a cyber device, as defined under section 524B(c), is required to submit information to ensure that cyber devices meet the cybersecurity requirements under section 524B(b).” 

The FDA also provided the following information about the previously mentioned grace period. 

“As provided by the Omnibus, the requirements of section 524B do not apply to an application or submission submitted to the FDA before March 29, 2023. For devices submitted after March 29, 2023, the FDA generally intends not to issue “refuse to accept” (RTA) decisions for premarket submissions for cyber devices that are submitted before October 1, 2023, based solely on information required by section 524B of the FD&C Act. Instead, the FDA will work collaboratively with sponsors of such premarket submissions as part of the interactive and/or deficiency review process.” 

What Does All This Mean for You? 

After a string of high-profile cyber-attacks in recent years, several industry experts have called for a greater focus on cybersecurity for medical devices. Many have also suggested that cybersecurity won’t take center stage until the FDA makes it so. With these security requirements and the RTA policy, it appears that time has come.  

The onus is now on medical device manufacturers to prepare for the October 1st deadline. Companies need to put the right systems, processes and tools in place to ensure compliance and to ensure that their products meet the four security requirements listed at the start of this post.  

For medical device manufacturers, SelectEvidence™ from Nova Leah provides the ultimate solution. SelectEvidence™ is a cybersecurity risk management solution for connected medical devices that automates the continuous monitoring of vulnerabilities and the identification of related mitigations, while generating live regulatory reports.  

SelectEvidence™ can help medical device manufacturers to meet new guidelines with minimum fuss. If you would like to learn more about SelectEvidence™, please check out our product page 

With the deadline fast approaching, there is no time to delay. We can walk you through exactly what needs to be done to ensure that your cyber devices meet the new cybersecurity requirements. 

Book a demo today