Understanding the FDA Medical Device Cybersecurity Protocols

As the FDA incorporates its new medical device cybersecurity protocols and plans for strict enforcement in October 2023, it is critical to understand guidance components and their legal implications.

Earlier this year, the United States Food and Drug Administration (FDA) revealed its updated guidelines regarding cybersecurity threats for medical devices. Like all technological products, medical devices can be susceptible to cyberattacks and breaches; however, the implications in the healthcare space go far beyond social media hacking. Depending on the device’s functionality, attacks on medical devices can cause Health Insurance Portability and Accountability Act (HIPAA) violations, improper patient health assessments, miscalculated medication dosages, and other potentially fatal outcomes.

According to the American Hospital Association, in September 2022, the Federal Bureau of Investigation (FBI) recommended actions to minimize the risks of cybersecurity attacks on medical devices. Shortly after, on March 30, 2023, the FDA published its Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems under section 524B of the FD&C Act, a guidance for industry and FDA staff, prompted by legal changes in December.

In December 2022, the Consolidated Appropriations Act, known as Omnibus, was formally established and became law. Among the many components of this act, section 3305, Ensuring Cybersecurity of Medical Devices, led to changes for the FDA, as it altered the Federal Food, Drug, and Cosmetic Act (FDC Act).

The amendment included adding section 524B into the FDC Act to ensure the security of medical devices, making them less susceptible to cybersecurity risks. With the Omnibus Act in motion, the FDA had 90 days to incorporate new protocols for medical devices.

By the end of March, the FDA began using these new protocols to make regulatory decisions on medical devices; however, applications submitted before this date were not subject to the new guidance.

Instead of issuing draft guidance and final guidance, the organization jumped to implementing the protocols without public commentary due to constraints under section 701(h)(1)(C) of the FDC Act (21 USC 371(h)(1)(C)) and 21 CFR 10.115(g)(2)).

Anna Rudawski, JD, a partner at Norton Rose Fulbright specializing in cybersecurity and medical cybersecurity legal issues, explained the legal implications and the precedent surrounding these new protocols to LifeSciencesIntelligence.

Medical Device Cybersecurity

Rudawski explained that this is only the second major FDA publication regarding cybersecurity guidance, with the most recent being released many years ago.  

“The follow-up is long overdue,” Rudawski noted. “It's been prompted by many of these devices, connected to the internet in some way, being vulnerable to cyberattacks.”

She explains that beyond consumer-facing medical devices like wearable sensors, which are meant to be directly on consumers, there are a lot of medical devices in healthcare facilities or systems that are susceptible to cybersecurity issues.

On a hospital or organizational level, healthcare providers use many backend tools to treat patients, which may be vulnerable to cyber threats. These security gaps have prompted the FDA to crack down on cybersecurity protocols for medical device safety across all patient care levels.

“The other thing prompting these rules — from a general cybersecurity standpoint, not just in the medical device space — is asset management has been a massive problem for every single company regardless of the asset,” added Rudawski. “In the medical context, every single device is an asset that needs to be secured, especially in a hospital or a healthcare system.”

The original cybersecurity guidelines published before were post-market monitoring guidelines, not preemptive protocols to prevent cyberattacks. They focused on standards for issuing notices and recalls but had yet to propose measures during device development and premarket approval for pre-emptive risk management.

Tech Debt

Rudawski explained that many medical devices — even technological assets or devices outside the medical industry — can fall into “tech debt.” The technology industry coins the term to explain when technology is unsupported or outdated software components.

“That's always the challenge, especially in the healthcare industry where they often rely on devices or software,” she said. “They could be outdated, unsupported, or no longer patchable because the software provider that's making them no longer supports the version a facility or individual is running, and they don't have enough time or resources to upgrade.”

Although, at times, manufacturers can push updates that users can opt out of, like a software update on a phone or computer, some updates are “forced” on the user or system, leaving no option to delay or deny the update. Often, these updates are due to significant security flaws identified by the manufacturer.

However, Rudawski notes, “That only works as long as it's still a supported device, but a device that's no longer supported or off-label can be a lot more challenging.”

“There are a lot of medical devices, especially in the diabetes space. Unfortunately, many of them don't talk to each other,” she added. “Some apps enable patients or providers to pull data from multiple devices into one app, interface, or connected device system, where they all communicate.”

This setup requires developers to “jailbreak” medical devices and essentially develop a new app altogether. While the patient care uses are unparalleled, the products are unregulated.

“Manufacturers are only going to pick up devices that they know about. They’re not going to pick up devices they don't know about, which sounds silly, but every organization and device has some element of shadow IT,” she added. “That is just unmapped IT or devices that don’t connect to the network or the internet, either because they've been jailbroken so that they exist offline, or someone has spun them up through some sort of alternate process.”

New Proposed Guidelines

This guidance updated the suggested documents and content of premarket submissions. Under the new policy, device manufacturers or researchers submitting a medical device for FDA approval must include a plan to monitor and address post-market cybersecurity vulnerabilities and exploits within a reasonable time in their initial application.

Beyond protocols for post-market monitoring, the application should also provide “reasonable assurance” for security throughout the total product life cycle. The application should detail the design, development, and maintenance processes that ensure a medical device’s safety during unacceptable and critical vulnerabilities.

Additionally, the new cybersecurity requirements emphasize that manufacturers seeking FDA approval must include a software bill of materials (SBOM) and comply with other requests from the organization.

The FDA guidance document notes, “In general, FDA’s guidance documents do not establish legally enforceable responsibilities. Instead, guidances describe the agency’s current thinking on a topic and should be viewed only as recommendations unless specific regulatory or statutory requirements are cited. The use of the word should in agency guidance means that something is suggested or recommended, but not required.”

While these newer standards offer more detailed protocols, Rudawski argues they may still be insufficient. She notes that most sophisticated medical device manufacturers and providers have already been checking off the recommended boxes for device security and safety.

Legal Implications

While language by the FDA indicates that these guidelines are just recommendations, Rudawski told LifeSciencesIntelligence that there would likely be repercussions for the few stakeholders who haven’t already or don’t adopt these suggestions. Manufacturers may not run into any complications immediately, but they may be penalized if there is a data breach, disruption, or cybersecurity concern.

“If manufacturers get hit because of vulnerabilities on their device, they may get hit with all sorts of lawsuits and investigations,” said Rudawski. “Manufacturers have to notify people. If the device is taken offline or patient data is lost, they may be subject to HIPAA or the FTC breach rule.”

When it comes to breaches, there are additional federal regulators involved. If health information or patient safety is compromised, there will be legal repercussions questioning the manufacturer’s quality system regulations (QSR), digital health protocols, and other cybersecurity concerns.

“We've seen reports where people have linked ransomware attacks or data breaches that have impacted medical devices to patient harm, poor outcomes, or death. Those are starting to be questions that regulators are asking about. How long was the service down? What were the patient disruptions? How much patient data was lost?”

Although FDA rhetoric implies that these protocols are a suggestion, there is much more to consider beyond that. For example, FTC and HIPAA are likely to point to these standards. Beyond that, if a breach happens and a class action lawsuit comes to fruition, lawyers will focus on these standards — more accurately, nonadherence to them — to make their case against a manufacturer.

Looking Ahead

While these protocols are currently in effect, the FDA notes that until October 1, 2023, it will not issue a “refuse to accept” decision based on missed application materials from the new protocols. Until the October date, manufacturers and sponsors will work collaboratively with the FDA in the review process so the companies can address their known risks.

However, after October 1, all applicants will be expected to meet the guidelines issued.

“They haven’t imposed anything that medical device manufacturers didn't know already unless they were a very unsophisticated developer of these devices,” she emphasized.

Rudawski told LifeSciencesIntelligence that most manufacturers are already implementing the FDA’s suggestions, meaning they won’t have to make too many adjustments to their workflow. However, she notes that these updated guidelines would require medical devices to undergo a new level of premarket submission.

Although many manufacturers have already incorporated cybersecurity controls for device security, Rudawski emphasized the need to avoid cyber threats by incorporating risk assessment and management strategies early on.

“We always try to get involved at the earliest stage of the product or the service. Cybersecurity is a lot easier to achieve if it’s managed from the beginning of product development than at the tail end of product development,” she said.

Although the FDA acknowledges that threats and vulnerabilities cannot be eliminated, the organization provides tools and protocols to reduce the risk. Manufacturers and healthcare professionals that use medical devices are encouraged to use FDA resources for better risk mitigation strategies. The FDA provides a Medical Device Cybersecurity Regional Incident Preparedness and Response playbook and the Playbook for Threat Modeling Medical Devices. 

Next Steps

Dig Deeper on Medical devices and imaging technology