FDA’s New Cybersecurity Regulations for Medical Devices: Webinar Recap

In today’s landscape of increasingly connected devices, the fusion of healthcare and technology offers transformative opportunities in patient care. However, this digital evolution also opens a Pandora’s box of cybersecurity vulnerabilities, particularly in medical devices. Recognising this pressing issue, the US Food and Drug Administration (FDA) recently issued new regulations aimed at mitigating these risks. This action elevates cybersecurity to a central position in the manufacturing and management of medical devices.

Let’s take a comprehensive look back at our 17 August webinar, where we explored the FDA’s new regulations on medical device cybersecurity.

The Changing Landscape: Why Cybersecurity Matters

First things first: why is this a hot topic at the moment? As the Internet of Medical Things (IoMT) expands, the conversation around these FDA guidelines becomes more critical. We’re moving beyond the point where cybersecurity can be dismissed as just an IT issue. It’s now fundamentally a patient safety issue. Imagine a scenario where a medical device is compromised; the consequences could range from erroneous readings to altered functionality, or even life-threatening situations.

Legislative Updates: What Changed in the FDA Regulations

So what’s changed? Congress threw a curveball in December 2022 by updating the Federal Food, Drug, and Cosmetic Act (FD&C Act) through an omnibus bill. This introduced Section 524B, which allows the FDA to halt market clearance based on identified cybersecurity vulnerabilities. Manufacturers now have until March 2023 to comply. It’s worth noting that the FDA has begun issuing a Refuse to Accept (RTA) for premarket clearance applications that don’t comply with these new guidelines – effective 1 October. Note, however, that these changes are not retroactive; if your application was submitted before March 2023, you’re in the clear.

A Deep Dive into the FDA’s New Regulatory Stipulations

As we move from the ‘why’ to the ‘what’, let’s delve into the specifics of the FDA’s new regulations. These guidelines take a comprehensive view of the medical device lifecycle, from design through post-market surveillance. Here’s a snapshot of what manufacturers need to focus on:

Pre-Market: Planning for Security from Day One

Here’s what manufacturers need to consider before launch, according to the FDA:

Risk Management Plans

Manufacturers are now required to have a dedicated risk management plan that details the cybersecurity threats their devices might face, along with proposed mitigation strategies.

Configuration Management Plans

In line with the FDA’s new pre-market guidance, manufacturers must also include a configuration management plan. This outlines not only the device settings but also how they can be securely modified.

A Focus on Data Quality

High-quality data is critical to this process, especially if elements of your training or verification data come from publicly available databases. These databases must have well-maintained documentation to be considered reliable.

Post-Market: Ongoing Vigilance is Key

The FDA now expects companies to have a post-market cybersecurity plan in place. This isn’t just about responding to issues as they arise, but taking a proactive approach to identifying vulnerabilities before they can be exploited.

Data Reviews and Management Reviews

In the post-market phase, it is critical to have a broad scope of external reviews. These should include not only post-market surveillance data, but also any root causes that may have been previously overlooked. All these types of data should be integrated into your regular management review programmes. If significant risks emerge from these reviews, they need to be addressed in management discussions.

Cybersecurity Bill of Materials

Another new post-market expectation is the creation of a cybersecurity bill of materials, which lists all components that are critical to the cybersecurity aspects of the device.

Collaboration is Key: Information Sharing and Analysis Organizations

The new FDA regulations also encourage industry-wide collaboration through Information Sharing and Analysis Organisations. The cybersecurity landscape is constantly evolving, and staying ahead of threats requires collective intelligence. Information Sharing and Analysis Organizations are platforms for companies within the industry to share data about the cybersecurity threats and vulnerabilities they face. These collaborative efforts have gained particular traction in regions such as New Zealand, and are a powerful way to stay ahead of cyber threats.

Additional Layers of Cybersecurity: Points to Consider

To develop robust cybersecurity measures for your medical devices, it’s important to also keep the following considerations in mind:

Quality Data: The Building Block

Whether you are developing, verifying, or maintaining a medical device, data quality matters. If your data comes from publicly available databases, ensure that the database has well-maintained documentation, as this lends credibility and reliability to your own processes.

Comprehensive Reviews

When conducting external reviews, don’t just focus on the data post-market; include broader reviews that capture any missed root causes or unidentified risks. This should be an integral part of your management review, combined with post-market surveillance and ISO data.

Make Cybersecurity a Priority

One of the most practical ways to allocate resources to your cybersecurity programme is to appoint a cybersecurity lead. Even if the lead only devotes part of their time, having a designated person responsible for this aspect can make a significant difference. This person should be included in policy documents and actively involved in annual planning.

Management’s Role: Plan, Don’t React

For executives and management, resource planning for cybersecurity is not optional, it’s a responsibility. Metrics and key performance indicators (KPIs) need to be developed and reviewed. If these are not being met, there must be adequate justification. Allocating sufficient resources to cyber security is critical. If you identify risks in your external reviews, these should be considered in management reviews.

Practical Resources for Implementation

If you’re feeling overwhelmed, don’t worry. We’ve compiled a list of resources, including the FDA’s foundational documents and industry-specific guides from organisations like the Johner Institute, to help you get started. We have also outlined a detailed action plan that will take you from pre-market preparation to post-market resilience, from risk management to routine monitoring.

Here is our list of useful resources:

1. FDA Guidance Documents: These are foundational materials for any medical device company.
   • Quality Systems and Premarket submission Content Guidance
   • Content of Premarket Submissions for Management of Cybersecurity in Medical Devices
   • Postmarket Management of Cybersecurity in Medical Devices
2. NIST National Vulnerability Database: Offers an authoritative source on security features and vulnerabilities.
3. Industry Checklists and Playbooks: Useful tools for implementing cybersecurity measures in line with FDA guidelines.
   • Playbook for Threat Modeling Medical Devices
4. Johner Institute IT Security Guideline for Medical Devices: Includes an integration checklist, is maturity based and approved by Notified Bodies
5. Questionnaire “IT Security for Medical Devices”: Developed by the interest group of notified bodies and it is also used in audits
6. Johner Institute AI Guideline: Helps with AI specific questions

Action Plan: Meeting the FDA’s Cybersecurity Requirements

Wondering how to stay on top of FDA cybersecurity requirements? Here is your action plan:

Pre-Market Preparations

1. Implement Cybersecurity Risk Management Program: Adopt a program based on standards like AAMI TIR57.
2. Design Out Vulnerabilities: Prioritize eliminating vulnerabilities during the design phase.
3. Penetration Testing: Incorporate penetration testing as part of your Verification & Validation (V&V) processes.
4. Tabletop Incident Response Plan: Create and review a theoretical incident response plan.
5. SOUP and 3rd Party Tools: Understand the impact of Software of Unknown Pedigree (SOUP) and third-party tools in your device.

Post-Market Resilience

6. Integrate Cybersecurity into Post-Market Surveillance (PMS): Use PMS data to update and refine your cybersecurity measures.
7. Establish and Drill Incident Response Plans: Regularly update and practice your response to potential cybersecurity incidents.
8. Monitor Third-Party Tools and SOUP: Keep an eye on vulnerabilities and updates related to third-party tools and SOUP.
9. Implement ISMS: Adopt an Information Security Management System, like ISO 27001, to manage security protocols effectively.

Ongoing Analysis

10. CBOM Analysis: Continuously monitor Cybersecurity Bill of Materials based on known vulnerabilities or products. Utilize databases that offer user-reported data with CVSS Scores.
11. Interoperability Analysis: Understand how your device interacts with other components, systems, and environments. Adhere to FDA and IEC 82304 guidance for this often-overlooked element of risk management.

Continuous Monitoring

12. Post-Market Surveillance: Routinely monitor external data sources for new vulnerabilities or incidents affecting similar devices.
13. Internal System Review: Regularly conduct internal audits, and allocate adequate resources for cybersecurity within your organisation.

Monitoring and Review Activities: Activity Methodology and Frequency

14. Threat Modeling: Conduct quarterly reviews to identify new system processes exposing cybersecurity risks.
15. Penetration Testing: Engage third-party suppliers for annual penetration tests.
16. QA & Testing: Perform verification validation protocols quarterly, or as required by system releases.
17. Hardware and Software OTS components Review: Review Bills of Materials (BOMs) and Software Bills of Materials (SBOMs) quarterly for any newly revealed vulnerabilities.

Recommended Deliverables for Compliance

• Configuration Management Plan
• Post-Market Plan for Cybersecurity
• Cybersecurity Risk Management Plan, Analysis, Report
• Cybersecurity Bill of Materials

Closing Thoughts: Good Engineering Equals Good Security

The new FDA guidelines may seem daunting, but remember: good engineering inherently includes good cybersecurity. The real challenge is documentation and proactivity. The best engineers in the medical device industry are not only competent, they are also adept at documenting their competence. So document rigorously, plan your resources wisely, and approach cybersecurity as an ongoing process rather than a one-off task.

In summary, the new FDA medical device cybersecurity regulations are not just regulatory measures; they are comprehensive best practices that are closely aligned with overall engineering quality. Therefore, fully understanding and implementing them not only ensures compliance, but also improves product quality and safety.

By adopting these guidelines, we can collectively help make healthcare safer, more reliable and ultimately more effective for everyone.

Want to know more about cybersecurity? Check out our new free webinar!