FDA Will Begin Rejecting Medical Devices Over Cyber SoonGuidance Says Device Makers Must Now Give Cyber Details for New Product Submissions
Medical device makers must include a cybersecurity plan in new product applications for Food and Drug Administration premarket approval, the agency announced Wednesday.
Starting Oct. 1, the agency says it will reject submissions that don't detail security measures including a plan to address postmarket vulnerabilities and a method for coordinated disclosures of exploits.
Each application must come with "a reasonable assurance" that the device and related systems are secure and that the manufacturer will develop patches to fix bugs.
In the period between Wednesday and Oct. 1, the agency says, it will work with applicants to remedy defects in their cybersecurity documentation.
The new requirements apply to any device that has software or can network with the internet and contains "any such technological characteristics" that could be vulnerable to a cybersecurity threat.
Authorization for the rule comes from a 2022 funding bill requiring the agency to implement cybersecurity requirements for medical device approval by March 29 (see: Exclusive: FDA Leader on Impact of New Medical Device Law).
Congress added the language amid mounting concern that device manufacturers have allowed vulnerabilities to creep into medical devices. Security researchers in 2018 disclosed potentially lethal vulnerabilities in pacemakers. The FBI in September warned of an "increasing number of vulnerabilities posed by unpatched medical devices."
The new authorities represent a significant step forward in the FDA’s role in regulating cybersecurity as part of a medical device’s safety and effectiveness and further safeguarding patient safety and national security, a FDA spokesperson said in a statement to ISMG.*
"Cybersecurity incidents can render medical devices and hospital networks inoperable with the potential to disrupt the delivery of patient care across health care facilities in the U.S. and globally. As we experience an increase in cyber threats across health systems, these new authorities will allow FDA to work with manufacturers and other device stakeholders to ensure that cyber devices are designed securely and reduce the likelihood of harm to patients," the statement said.
Unlike most other FDA guidance documents, this new final guidance is being implemented without prior public comment. The agency says it determined that prior public participation "is not feasible or appropriate" given lawmakers' 90-day deadline. The agency will consider comments for potential future revisions, it said.
The FDA is making it clear that medical device security engineering programs are vital, said Kevin Fu, a professor, the director of the Archimedes Center for Health Care and Medical Device Cybersecurity at Northeastern University, and a former FDA adviser. Manufacturers "should expect 'do not pass go' on premarket clearance or approval," unless they treat cybersecurity threats seriously, he said.
The six months between now and Oct. 1 give medical device makers enough time to comply with the new requirements, said Naomi Schwartz, senior director of cybersecurity quality and safety at security firm MedCrypt.
"The policy itself will hopefully improve the quality of submissions and reduce incomplete applications, thus freeing reviewers up to focus on submissions that are not missing significant portions of their expected content," she said.
*Update March 30, 2023 UTC 22:16: Story was updated with a statement from the FDA.