FDA Publishes New Guidance on Medical Device Cybersecurity Requirements
The U.S. Food and Drug Administration (FDA) has published new guidance on its requirement for medical device manufacturers to include details of the cybersecurity measures that have been implemented for new products in premarket submissions.
Medical devices with wireless, internet, and network-connected capabilities are increasingly being used in healthcare and while these devices have helped to improve the care provided to patients, they have the potential to threaten patient safety if they lack appropriate cybersecurity protections. Cyberattacks on the healthcare industry have increased, with advanced persistent threat actors and cybercriminal groups actively targeting the sector. Many attacks have rendered medical devices inoperable and have forced critical IT systems to be shut down which have clinical impacts that put patient safety at risk, such as delaying diagnoses and treatments.
“Increased connectivity has resulted in individual devices operating as single elements of larger medical device systems. These systems can include healthcare facility networks, other devices, and software update servers, among other interconnected components,” explains the FDA in its guidance. “Consequently, without adequate cybersecurity considerations across all aspects of these systems, a cybersecurity threat can compromise the safety and/or effectiveness of a device by compromising the functionality of any asset in the system.”
In order to ensure the security of medical devices throughout their lifecycles, the FDA requires medical device manufacturers to implement a secure product development lifecycle to reduce the number and severity of vulnerabilities throughout the entire lifecycle of their devices. Device manufacturers are required to conduct threat modeling and outline their plans for addressing post-market vulnerabilities in the devices, such as through patching and software updates. They must also include details of the methods for coordinated disclosures of exploits and must supply a software bill of materials that includes details of all third-party commercial, open source, and off-the-shelf software components that are used in their devices.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
On October 1, 2023, the FDA’s refuse-to-accept policy will come into force for pre-market submissions that lack the required cybersecurity information. The policy was formally adopted on March 29, 2023; however, the FDA provided medical device manufacturers with a 6-month grace period, which has now come to an end. From October 1, 2023, pre-market submissions for any device that lacks the appropriate cybersecurity information will be rejected. The FDA has confirmed that it will work collaboratively with medical device manufacturers that have applications currently pending with the FDA at the time of publication of the guidance, as well as for those submitted after the initial publication of the guidance as part of its review process.
Medical device manufacturers should review the updated guidance document – Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions – to ensure their products include the required cybersecurity information. If there is any doubt as to whether the new requirements have been met, device manufacturers should seek advice from the FDA in advance of submitting their applications. The latest guidance supersedes the FDA’s previous guidance on medical device cybersecurity that was issued in October 2014 – Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.