New FDA Cybersecurity Regulations for Medical Devices

In March 2023, the U.S. Food & Drug Administration (FDA) issued a guidance document on cybersecurity regulations. This outlined some clarifications surrounding medical device design, labelling and documentation.  

These updates come at a crucial time since the healthcare industry has seen rapid growth of connected medical equipment. This means there are new risks and endpoints to manage and secure. Especially since between 2020 and 2021, cyberattacks in the global healthcare industry increased by 45%.

In this article, we answer some of the common questions you might have surrounding these updates, and more. 

If you’d like to keep up with the latest content and trends in IoT, subscribe to our monthly newsletter here.
Manufacturers of glucose monitoring devices and more will be affected by the new regulations

Regulatory background 

These updates on cybersecurity considerations are not new. In fact, they are a follow up to a draft guidance document of 2022 – Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.  

The 2022 Guidance provided a glimpse into FDA’s approach to mitigating cybersecurity risks for medical devices. It contained guidelines for stakeholders in the medical industry such as “health care facilities, patients, providers, and manufacturers of medical devices” who are responsible for maintaining proactive and mitigation cybersecurity strategies. 

However, due to the rapidly evolving nature of cybersecurity threats, regulatory structures are forced to keep up. 

Who and What Medical Devices are Subject to the New Requirements? 

Initially, the 2022 Guidance held numerous stakeholders responsible for cybersecurity regulations including health care facilities, providers and patients. 

With the new updates, it shifts the lion’s share for cybersecurity mitigation and responsibilities to manufacturers of medical cyber devices

The FDA outlines cyber devices to be those that: 

  1. Contain software validated, installed, or authorized by the sponsor as a device or in a device;  
  2. Have the ability to connect to the internet, including “the cloud” or other shared network; and 
  3. Contain any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats 

What are the New Cybersecurity Requirements? 

Manufacturers of devices that have any of the above characteristics must demonstrate compliance with each of the following requirements: 

  1. Submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures; 
  2. Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available post-market updates and patches to the device and related systems; and 
  3. Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components. 
The healthcare industry experiences over 40 percent more cyber attacks than other industries

When will these Requirements Come into Force? 

The new cybersecurity requirements came into effect March 29, 2023. As a result, all manufacturers who submit a pre-market application for a cyber device from this point on must adhere to the new regulations.

However, the FDA intends to exercise enforcement discretion until October 1, 2023. Therefore, between now and October 1, 2023, the agency will not refuse any pre-market applications solely for failure to include the above cybersecurity information.  

Instead, the FDA will jointly collaborate with applicants to obtain the information and continue processing the application. 

Moving Forward 

By passing these regulations, it is clear that the U.S. government considers cybersecurity a top priority in the medical device space. To the extent that critical safeguards should be implemented at the manufacturing and even design stages, long before the device even enters the market. 

If you’d like to find out more on how to position yourself for success by prioritizing cybersecurity safeguards in device design and development, contact one of our industry experts today. Alternatively, try out our SIMs or read more about IoT applications in healthcare. 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>