The “Consolidated Appropriations Act of 2023” grants new authority to the FDA to enforce Cybersecurity for Medical Devices, making it mandatory for Medical Device Manufacturers (MDMs) to address cybersecurity as part of their Device Design. MDMs must submit a plan to monitor, identify, and address post-market cybersecurity vulnerabilities, and provide reasonable assurance that the device and related systems are cybersecure.
The authority of the FDA to enforce the amendments to the FD&C Act began at the end of March 2023. However, the FDA announced that strict enforcement will begin in October 2023. Failure to comply will result in a Refusal to Accept (RTA) response, causing rejection and delay of the submission. Between March and October, the FDA will work collaboratively with sponsors of premarket submissions as part of the interactive and/or deficiency review process. In this interim period, the FDA will come alongside manufacturers to help them get up to speed on needed cybersecurity measures.
Companies in the medical device industry must comply with the new law, including updating policies and procedures, implementing necessary security measures, and ensuring that their cybersecurity documentation meets the requirements outlined by the FDA. The latest draft guidance for Cybersecurity in premarket submissions should not be overlooked by MDMs, as it may be made final very soon. It documents the current expectations of the FDA and informs Manufacturers what the FDA will be looking for in new submissions in 2023 and beyond.
A lack of knowledge of these new requirements could lead to significant risks, including regulatory non-compliance, delays in bringing products to market, and potential harm to patients, operators, or HDOs if cybersecurity vulnerabilities are not addressed in a timely manner. Therefore, companies in this industry must take the necessary steps now to comply with the new law, including updating their policies and procedures, implementing necessary security measures, and ensuring that their cybersecurity documentation meets the requirements outlined in the guidance documents issued by the FDA, before it is too late.
Here’s what you need to know.
The new act requires medical device manufacturers to address cybersecurity as part of their device design, including addressing security risk management. These requirements cover all submission types, including “510(k), 513, 515(c), 21 515(f), or 520(m)”
Under the new law, MDMs must: “
In short, have a post-market surveillance plan, including plans for what to do when a new vulnerability is discovered (Disclosure!). The MDM must prove that they considered and reduced the cybersecurity risk in the design process, and there is a plan in place to patch the system when new vulnerabilities are disclosed (in a timely manner). The MDM must provide an SBOM with the submission, covering all SW in the device. And finally, there’s a catch-all rule to allow the Secretary additional discretion to request additional information as needed to provide assurance that Cybersecurity has been achieved.
The Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices Under Section 524B of the FD&C Act guidance document states that when enforcement begins, if your cyber device pre-market submission has insufficient Cybersecurity documentation to assure the Secretary that your device is secure, you will be the recipient of a RTA (Refusal To Accept) response.
Your submission will be rejected, and your device will be delayed.
March 22, 2023 was to be the date enforcement began (March 29, 2023 by the FDA page), but at the last minute, the FDA pushed off to October 2023, as explained in Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices Under Section 524B of the FD&C Act.
So, MDM’s creating new submissions on or after October 1, 2023, may receive an RTA decision for premarket submissions for “cyber devices” based solely on information required by section 524B of the FD&C Act (Section 3305 of the Omnibus Consolidated Appropriations Act of 2023). Between now and October, “the FDA will work collaboratively with sponsors of such premarket submissions as part of the interactive and/or deficiency review process. Which is NOT to say that cybersecurity issues get a free pass between now and then!
The “Consolidated Appropriations Act of 2023” also specifies an update to the 2014 Final Guidance Document: “‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’ (or a successor document)” within 2 years, and periodically after that.
For postmarket cybersecurity planning, guidance is provided in “Postmarket Management of Cybersecurity in Medical Devices.” Strangely, this guidance was not mentioned in the “Consolidated Appropriations Act of 2023” despite the fact that postmarket surveillance is a major part of the cybersecurity requirements in the amendment. This final guidance lays out the FDA’s preferences for postmarket surveillance.
The delay in enforcement gives time for the 04/07/2022 Draft Guidance: “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” to be made final. Its guidance should not be overlooked by MMs considering submissions in 2023 or beyond.
Other guidance that may be used to prepare for Device Cybersecurity in a Medical Device SDLC include:
|Playbook for Threat Modeling Medical Devices (MITRE)
|The Playbook for Threat Modeling is an educational resource for the medical device sector to learn how to effectively threat model. Many private and public sector organizations recommend threat modeling to help manage and respond to cyber threats and risks.
|Best Practices for Communicating Cybersecurity Vulnerabilities to Patients
|This paper outlines information for the FDA, federal partners, and industry stakeholders to help thoughtfully inform patients and the public about cybersecurity vulnerabilities.
|NIST Request on Presidential Executive Order: Comments Submitted by the FDA (PDF – 4MB)
|This paper provides relevant responses to the National Institute of Standards and Technology (NIST) call for position papers to fulfill the President’s Executive Order (EO) on Improving the Cybersecurity of the Federal Government (EO 14028), issued on May 12, 2021. It highlights existing FDA guidance documents and international standards on the science of cybersecurity for the premarket review of medical devices and post-market surveillance of cybersecurity incidents and vulnerabilities.
|Strengthening Cybersecurity Practices Associated with Servicing of Medical Devices: Challenges and Opportunities
|The FDA released this discussion paper to consider cybersecurity issues that are unique to the servicing of medical devices and to seek input on these topics.
A submission should provide evidence of
The law now says “a device that meets the definition of a cyber device” shall include the additional Cybersecurity information in its submissions to the FDA.
A “cyber device” is “a device that—
There is debate in the marketplace about what “has the ability to connect to the internet” means, but the FDA is very unlikely to allow a loophole because a device indirectly connects via a gateway. If there exists a path of communication of SW or Data between the Device and the internet, through whatever communication path, the device is a cyber device. DornerWorks cannot recommend trying to game the definition in that way.
If you have a device that is:
Then you may have a cyber device and be subject to the new law.
The FDA has the authority now to reject a medical device that is a Cyber Device if cybersecurity has not been addressed properly in premarket submissions. MDMs could face a roadblock to approval that wasn’t there last year.
Beginning in October, the FDA has signaled that they’ll draw a hard line on missing cybersecurity information:
“Beginning October 1, 2023, FDA expects that sponsors of cyber devices will have had sufficient time to prepare premarket submissions that contain information required by section 524B of the FD&C Act, and FDA may RTA premarket submissions that do not.”
By stating that sponsors will have had sufficient time, the FDA is signaling that they will not tolerate “We didn’t have enough time” complaints.
The time to be prepared is NOW.
DornerWorks has developed many medical devices — both SaMD and SiMD devices — which meet the definition of a cyber device, and we are working with our existing customers to ensure that their development dollars are well spent, to be ready for submission in the coming year. We’re here to help you as well.
If you have a device that you’re concerned might be a cyber device, then the time is NOW to ensure that your submission will be prepared when you are ready. Cybersecurity must be by design — not tacked on at the end. Wherever you are in the development process — from the idea stage to readying for submission, you can benefit from a cybersecurity review by DornerWorks. We can help you determine if you are ready and identify any shortcomings that may result in an RTA for your submission.
Just like safety risk, which every MDM is familiar with, Cybersecurity is a Risk-based development process. Cybersecurity By Design means evaluating security risk early, mitigating to reduce vulnerability risk, and injecting security risk requirements, implementation and verification into the development process, and planning for continued vigilance through the life of the device, including planning for end of life!
Choose an embedded developer that has the right risk-based approach to cybersecurity, able to guide you to a successful pre-market submission. You have a lot invested in your device. Don’t risk getting an RTA in response to your premarket submission. Schedule a meeting with DornerWorks medical solutions group today, and we will help you put your worries to rest with a product that meets regulatory requirements and delights your customers.