Careers Contact Us Portal
Careers Contact Us Portal
Careers Contact Us Portal

A Candid Conversation with the FDA: Medical Device Cybersecurity

A Candid Conversation with the FDA: Medical Device Cybersecurity

Cyber threats pose patient safety risks to the healthcare sector, prompting the Food & Drug Administration (FDA) to increase its regulation of medical device cybersecurity. CloudWave recently hosted a webinar discussion with Jessica Wilkerson, Senior Cyber Policy Advisor and Medical Device Cybersecurity Team Lead, to provide an overview of the FDA’s recently updated medical device cybersecurity guidance to help healthcare organizations understand how they fit into a comprehensive cybersecurity risk management strategy. She shared the following:

  • Examples of cyber incidents that have impacted medical devices
  • Recent regulation changes
  • Premarket cybersecurity guidance
  • FDA resources available to healthcare organizations

 

Real-World Cybersecurity Incidents Affecting Medical Devices

The first incident example is a medical device designed to be 100% dependent on a remote connection to the manufacturer’s corporate network for dosing calculations. When the manufacturer experienced a ransomware attack and pulled its network offline, those devices could no longer receive information on what dose was supposed to be given to a particular patient, creating severe consequences for those who relied on those medical devices for treatment.

Another manufacturer that experienced a ransomware incident pulled down its network to stop the spread, shutting down one of its manufacturing facilities for four days, potentially creating a supply chain shortage of these devices.

Sometimes, accidents simply happen. A manufacturer forgot to update critical user authentication software, so the medical devices stopped working when that software expired. Users could not log in until a field engineer fixed individual devices.

Other times, it’s not the device. One incident occurred when a ransomware incident at a hospital impacted the server containing treatment plans. Some devices couldn’t be used because they didn’t have information on the treatment plan. The lesson here is to label which servers in an environment are associated with medical devices.

As the number of cybersecurity incidents affecting medical devices grows, regulatory bodies like the FDA are taking steps to address these risks by strengthening regulations.

 

Recent Regulation Changes

In March 2023, the Food, Drug & Cosmetic (FD&C) Act Section 524B went into effect to ensure the cybersecurity of medical devices, which defines a cyber device as a device that:

  • Includes software validated, installed, or authorized by the manufacturer as a device or in a device
  • Can connect to the internet
  • Contains any technical characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats

It’s important to note that some medical devices claim they are not meant to be connected. However, the FDA cautions that if the device possesses the inherent characteristic to connect to the internet—a USB port, Wi-Fi, Bluetooth, or the cloud—it would still qualify for 524B requirements.

If the medical device meets the definition of a cyber device, the manufacturer must:

  • Submit a plan to the FDA about how it will monitor, identify, and timely address post-market cyber security vulnerabilities and exploits.
  • Design, develop, and maintain processes and procedures to provide reasonable assurance that the device and related systems are secure and make available post-market updates and patches. Related systems apply to items the device depends on, including peripherals like a phone or tablet or connecting to the cloud.
    • The FDA can deny a submission if a related system is not cyber-secure. Cyber-secure medical devices must be patchable on a regular cycle and on demand for critical vulnerabilities.
  • Provide the FDA with a software bill of materials (SBOM), including commercial, open-source, and off-the-shelf software components.
  • Comply with other regulations the FDA may require.

Final premarket guidance was published on September 27, 2023, with recommendations to help manufacturers comply with the requirements under Section 524B. In March 2024, the FDA issued a Select Update to explain its interpretation of Section 524B’s various terms and requirements, such as cyber devices and related systems, and list the premarket submission documentation requirements for each. Also, if a legacy device must be returned to the FDA, 524B may apply during reapprovals.

 

Premarket Submission Documentation Requirements

Cybersecurity looks at what a device can be made to do versus what it was intended to do and ensures those things don’t happen. When submitting to the FDA, documentation should include:

  • Details on the backup plan for losing a cloud connection if device functionality, such as dosing calculations, is contingent on connectivity.
  • Secure interoperability with other systems, if applicable. The medical device manufacturer is responsible for device risk; each interface introduces more risks.

 

Guidance Documentation for FDA Reviews
  • Security risk management: Characteristics of a secure system and how should those appear within a device, including authentication and authorization code integrity
  • Security architecture: Draw a picture of the system along with the narrative so reviewers can understand what the system is doing in the different components
  • Cybersecurity testing: This includes pen testing, validation testing, and more
  • Labeling: The FDA calls out 14 different elements
  • Cybersecurity management plan: How cybersecurity will be managed over the product lifecycle

 

How the FDA Can Help Medical Device Manufacturers

The FDA’s Division of Medical Device Cybersecurity (DMDC) can help affected entities engage the device manufacturer for timely assistance in remediating the issue. Additionally, the FDA is available to coordinate conversations between the entity, manufacturer, and the FDA to quickly address potential requirements like revalidation, as well as answer questions about device cybersecurity, FDA regulations, and other issues.

To explore this critical subject in more detail, we invite you to listen to the on-demand webinar, “A Conversation with the FDA about Medical Device Cybersecurity,” provided to our CloudWave Cybersecurity Insider Program members. Not a member? Join now for access to live monthly educational webinars, on-demand training sessions, threat intelligence alerts, and more.

Click here to learn more about how CloudWave can help strengthen your medical device security. If you have any additional questions or want to discuss your medical device cybersecurity strategy in more detail with one of our experts, please email customersfirst@gocloudwave.com.

— Mike Donahue, Chief Delivery Officer