In response to growing concerns about the security of medical devices, the U.S. Food and Drug Administration (FDA) has established new cybersecurity requirements for manufacturers. The Consolidated Appropriations Act, 2023 (“Omnibus”), signed into law on December 29, 2022, includes Section 3305, which focuses on “Ensuring Cybersecurity of Medical Devices.” This addition to the Federal Food, Drug, and Cosmetic Act (FD&C Act) introduces Section 524B, titled “Ensuring Cybersecurity of Devices,” and mandates that the updated requirements become effective on March 29, 2023.
The healthcare industry has long struggled to secure medical devices, which often suffer from unpatched security flaws, outdated software, and insufficient security features. These vulnerabilities leave them exposed to potential attacks from malicious actors seeking to infiltrate healthcare networks and access sensitive patient data. The FBI reports that more than half of all medical devices used in hospitals have critical unaddressed vulnerabilities. On average, these devices harbor over six vulnerabilities that could be exploited by hackers, with over 40% of them reaching the end of their life cycle and offering limited opportunities for security enhancements.
The consequences of insecure medical devices can be severe. Successful cyberattacks on these devices can compromise patient safety, disrupt healthcare operations, and result in significant financial and reputational damage for healthcare providers. By introducing new cybersecurity requirements, the FDA aims to mitigate these risks and create a more secure landscape for medical devices.
To address these concerns and foster a more cooperative relationship between the FDA and device sponsors, the agency has issued guidance for device manufacturers and FDA staff regarding the new cybersecurity requirements. Prior to October 1, 2023, the FDA aims to refrain from issuing “refuse to accept” (RTA) decisions concerning premarket submissions for cyber devices, based solely on the grounds of Section 524B of the FD&C Act. Rather, the FDA plans to work in conjunction with sponsors submitting such premarket applications throughout the interactive and/or deficiency review process. This approach allows manufacturers time to adapt to the new requirements and paves the way for more effective identification and resolution of potential cybersecurity issues, ultimately benefiting patients and healthcare providers.
Starting October 1, 2023, the FDA expects sponsors of cyber devices to have prepared premarket submissions containing the necessary information required by Section 524B of the FD&C Act. After this date, the FDA may issue RTA decisions for submissions that do not meet the requirements.
The updated requirements for cyber device manufacturers include submitting a plan to monitor and address postmarket cybersecurity vulnerabilities, designing and maintaining processes to ensure device and system security, providing a software bill of materials, and complying with any additional requirements set by the Secretary. These requirements emphasize the need for continuous monitoring and improvement of cybersecurity measures throughout the device’s life cycle. Manufacturers will be expected to stay up-to-date with emerging cybersecurity threats and respond accordingly by developing and implementing patches and updates as needed.
By implementing these updated cybersecurity requirements, the FDA aims to enhance the safety and security of medical devices and related systems, protecting patients and healthcare providers from potential cyber threats. This proactive approach seeks to minimize risks and promote a more secure healthcare environment. In the long run, these measures will contribute to the overall resilience of healthcare systems and help ensure the continued delivery of safe and effective patient care.