Recent changes to U.S. Food & Drug Administration (FDA) policy are now requiring all medical device manufacturers to implement cybersecurity measures to protect patients from cyberattacks.

With the passage of the Consolidated Appropriations Act of 2023, the FDA is now required by law to include cybersecurity in its review of certain medical devices that contain software and connect to the internet. Given that FDA approval is required prior to market most new devices, this new rule puts the FDA at the forefront of cybersecurity for device manufacturers.

The healthcare and life sciences spaces are no strangers to cyberattacks, and the FDA has been concerned about the cybersecurity of medical devices for nearly a decade. The administration's concerns stem from fears that cybercriminals could hack into internet-connected medical devices and compromise the ability of these devices to function, potentially causing life-threatening physical harm to patients.

These concerns are well founded. A group of researchers in 2021 identified over a dozen cybersecurity vulnerabilities in medical devices currently in use. And, according to a 2022 report from the FBI, more than 50% of internet-connected medical devices in hospitals had cybersecurity vulnerabilities, and about 40% of devices at the end-of-life stage had few or no security patches. Moreover, the healthcare and life sciences industries are increasingly targeted by malicious cyber actors that exploit vulnerabilities in devices and networks. One study revealed that almost 89 percent of these institutions were victims of at least one cyberattack between 2021 and 2022. Vulnerable medical devices present a distinct and significant threat that could result in serious consequences for both healthcare providers and their patients.

The new cybersecurity requirements apply to all FDA applications submitted after March 23, 2023. Medical device producers must act now by beginning to implement cybersecurity standards into their product development process. To prepare for your next filing, here are four steps all medical device manufacturers should take to comply with these new rules:

1. Determine if your medical device meets the FDA's definition of a "cyber device."

Not all medical devices will be subject to these new rules. To be considered a "cyber device" that falls under the new cybersecurity rules, medical devices must include some form of software, have the ability to connect to the internet, and contain technology that could be vulnerable to a cybersecurity threat. It remains unclear the exact parameters of these characteristics. Until this is finally ironed out, the FDA is encouraging device manufacturers to reach out for further clarification.

2. Make a clear plan to prove the device is cybersecure.

Under the new rules, medical device manufacturers of cyber devices must submit to the FDA a specific plan to monitor, identify, and address all post-market cybersecurity vulnerabilities. Because the vulnerabilities exploited by malicious cyber actors are constantly emerging, the FDA also requires manufacturers to make regular updates and continually check on the product's cybersecurity status. Manufacturers must also provide the FDA with reasonable assurance that the device is cybersecure and make post-market updates and patches to the device and related systems. These security updates must occur on a regular cycle. When a vulnerability is identified, manufacturers are required to take action and address the vulnerability as soon as possible. Approval for a device may be delayed or denied if the manufacturer cannot clearly demonstrate the adequacy of their cybersecurity safeguards to regulators.

3. Prepare a software bill of materials (SBOM).

Moving forward, cyber device manufacturers are now also required to provide FDA with a "software bill of materials" - or SBOM - detailing all commercial, open-source, and off-the-shelf software used in the medical device. This list is intended to help regulators better understand how the device works and identify potential areas of vulnerability. Device manufacturers should begin compiling this information and organizing it now so that they are ready to report to the FDA when filing for approval.

4. Stay nimble and be prepared for the FDA to request more information.

These new rules are still in their infancy and may continue to evolve. Part of the new law states that the FDA may ask medical device manufacturers to "comply with such other requirements as the Secretary may require" to "demonstrate reasonable assurance that the device and related systems are cybersecure." As a result, manufacturers should remain nimble and keep organized records of their efforts to remain compliant in the event that the FDA requests more information during their review.

Harnessing the Combined Strength of Buchanan's FDA and Cybersecurity Teams

Navigating these evolving cybersecurity regulations requires keeping a watchful eye on the developments at the FDA in Washington, D.C. Our teams of attorneys and government relations professionals at Buchanan are closely tuned in to the FDA and have deep experience in medical devices, life sciences, and cybersecurity. We understand the intricate intersection of technical and legal considerations when developing and articulating cybersecurity standards and can guide you through the uncharted waters of the new requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.