As of Oct 1, lax cybersecurity is grounds for FDA rejection and potential criminal prosecution
For years, the FDA has coaxed medical device makers to take cybersecurity seriously. A law ensuring cybersecurity for medical devices passed by Congress in Dec ‘22, had a grace period for enforcement.
In September that grace period expired and the FDA issued a wake up call: now the FDA will refuse to accept device submissions that pose too great of a cyber risk to patients.
Additionally, failure to comply with FDA cybersecurity requirements is prohibited and the government has the legal power to prosecute violations criminally.
What is Cybersecurity for the FDA?
Patient safety is always the number one guiding principle with FDA regulations. Cybersecurity for the FDA means two things: keeping patients safe and maintaining the privacy of patient data.
In 2011, Jay Radcliffe at the Black Hat USA conference shocked the medical community when he demonstrated how an insulin pump and glucose monitor that he wore could be hacked and manipulated — potentially harming the wearer.
Less dramatically, all device data should be collected and stored as securely as patient personal data. Devices often contain software to monitor the health of the device itself (i.e. how many times it has been used, so that it can receive regular on-time maintenance), which is key for patient safety. As an example, if a device does not achieve a required temperature because it’s worn out, then it may either be ineffective or unsafe for a patient.
As late as 2022, cybersecurity was not being taken seriously by device makers, with less than half of devices taking the most basic step to secure data (binary code analysis), and only 27% maintaining a software bill of materials.
Even in 2023, again and again we are reminded that patient data — think name, social security number, etc. — is not being safeguarded in all cases, putting patients at risk for identity theft and other mis-uses of their private information.
Who do the new rules apply to?
Any device that has bluetooth, a USB port, wifi, software, collects data, or sends data to the cloud are regarded to have cyber capabilities by the FDA, and therefore subject to the new regulations. Medical devices with cyber capabilities now should read the latest Cybersecurity in Medical devices guidance document released Sept 27th, 2023, which includes more details on requirements for cybersecurity risk assessments, interoperability considerations, and documents needed for submission.
Overall, there are three core items on the FDA’s security checklist which must be included in new device submissions:
A plan to monitor and correct post-market cybersecurity vulnerabilities.
A process for secure design and development of devices.
Software Bill of Materials (SBOM).
Bizarrely, legacy devices (that are more likely to have weak security) are exempt from the new requirements — at least for now. It’s expected for existing devices to be grandfathered initially, but over time they will also need to submit to the FDA a plan to comply with those three core principles of medical device cybersecurity.
How to Get Secure
While most device manufacturers have in-house programmers, data scientists or IT experts, it is rare for one to also have experience meeting the particulars of FDA regulations.
Our FDA cybersecurity experts at PTL conduct a 3-step process that begins with an initial meeting to understand a client’s strategy. Afterwards, we conduct a gap assessment to find areas that need improvement. Then we create a corrective plan of action for those gaps, working closely with the device manufacturer and the FDA, at the same time.
Sit down with one of our cybersecurity experts for a free consultation to find out if the new rules apply to you, and how we can help you avoid costly negative interactions with the FDA.
Comments