Cybersecurity in Medical Devices | Bio Boston Consulting

BioBoston Consulting

Cybersecurity in Medical Devices: Key Requirements Under the Consolidated Appropriations Act

Explore the importance of cybersecurity in medical devices and how the Consolidated Appropriations Act of 2024 (CAA) impacts device manufacturers. Learn about the cybersecurity requirements, compliance, and FDA guidelines. 

Over the last few years, technology booming around healthcare have paved their way into patient care by developing small to complex medical devices and improving/impacting treatment. Even though this has helped in so many ways,  it also created a new variety of challenges specially in the domain of cybersecurity. When more interconnected and relying on software, the potential vulnerabilities medical devices face via cyber threats have grown considerably. Legislative action has been taken to address these issues in an effort to secure medical device cybersecurity. It includes legislations like the Consolidated Appropriations Act, 2023 (CAA), which made some significant changes to the Federal Food, Drug, and Cosmetic Act (FD&C Act) to improve medical device cybersecurity. 

Medical Device Cybersecurity and the Consolidated Appropriations Act, 2024

Details on Section 524B of the FD&C Act Details

In this article, we briefly review the key multinational tax provisions of the Consolidated Appropriations Act, 2024 (the MERGING APPROPRIATIONS ACT, 2024), the so-called “Omnibus” economic bill that was signed into law by President Biden on December 29, 2022. For example, Section 3305 of the Omnibus relates to “Protecting Medical Devices from Cybersecurity Risks.” In this part, section 524B was added to the Federal Food, Drug, and Cosmetic Act (FFDCA), relating to protection of medical device cybersecurity. 

Highlights of section 524B include the following: 

Defining the Scope 

A cyber device is any medical device or its components, parts, or accessories that fall within the definition of a “cyber device” Subject to Section 524B(a) of the FD&C Act. It applies to any person or entity submitting premarket applications (including both PMAs and 510ks) or submissions for such devices. Cyber device is defined as a device that contains software controlled by the sponsor, is capable of connecting to the internet, and has physical attributes that could be deemed susceptible to cybersecurity vulnerability. 

Compliance Timeline 

The requirements of section 524B would also apply to manufacturers submitting premarket applications or submissions for cyber devices based on the date that is one year after the date of enactment, March 29, 2023. This means all types of premarket submissions inclusive of 510(k), PMA, PDP, De Novo and HDEs. That said, submissions prior to March 29, 2023, are not covered under this law so nothing can be challenged retroactively. 

Cybersecurity Requirements 

FDA defines what cyber devices need to address in terms of requirements by section 524B(b) of the FD&C Act: 

Vulnerability Management Plan: Manufacturers will need to submit a plan for how they will monitor, identify, and address post market cybersecurity vulnerabilities and exploits. That covers coordinated vulnerability disclosure procedures. 

Cybersecurity Process and Procedures: Manufacturers need to Establish, implement, and maintain processes and procedures for ensuring that the cyber device and associated systems are Cybersecure. Also, they need to offer post market updates and patches for these systems. 

Software Bill of Materials (SBOM): Manufacturers must include an SBOM listing all commercial, non-commercial, and off-the-shelf software components in the device. 

Further, the FDA is empowered to promulgate other cybersecurity related regulations that require devices and associated systems to be adequately protected against a cyberattack. 

Answering Questions from Manufacturers 

Who is Required to Comply? 

With respect to any device that meets the definition of a cyber device under section 524B(c), the requirements of sections 524B(a) and (b) of the FD&C Act apply to manufacturers submitting premarket applications for such devices. These cover different types of premarket submissions such as 510(k), PMA, PDP, De Novo and HDE. 

Defining a Cyber Device 

Cyber device means a device that (A) is itself or by the use of sponsor-authorized software, enabled to connect to the Internet; and has (C)(I)technological features that are susceptible to cybersecurity threats. Manufacturers that are unsure if their device meets the definition of a cyber device may contact FDA for helpful information. 

Retrospective Application of The Law 

This law will apply to any cyber devices that need premarket review by the FDA, including changes to devices previously authorized through the submission process, even though the cybersecurity requirements do not extend back for submissions prepared before March 29, 2024. 

Demonstrating Compliance 

Manufacturers shall need to provide evidence of compliance with the cybersecurity requirements in section 524B(b) of the FD&C Act. It includes submitting vulnerability management plans, secure process design documents, update and patch schedules, along with an SBOM. 

Making Use of Resources You Have at Your Disposition 

To comply with section 524B(b), manufacturers may rely on a variety of resources: 

FDA Guidance: The 2014 FDA guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” and the 2016 guidance “Postmarket Management of Cybersecurity in Medical Devices” provide recommendations related to cybersecurity lifecycle management for medical devices. 

Consensus Standards: External Consensus standards [like AAMI/UL 2900-1:2017 and IEC 810001-5-1:2021] provide some level of assistance for documentation related to Cybersecurity. 

Software Component Transparency: The document Framing Software Component Transparency outlines the scope for building a common SBOM from the October 2021 NTIA Multistakeholder Process on Software Component Transparency. 

Conclusion

Cybersecurity in medical devices

Leave a Comment

Your email address will not be published. Required fields are marked *

one × five =

Scroll to Top