FDA cybersecurity guidance: New law all SaMD manufacturers must follow

In 2021, a group of researchers investigating software used in medical devices and machinery used in other industries found over a dozen vulnerabilities that, if exploited by a hacker, could cause critical equipment such as patient monitors to crash.

The FBI released a report in 2022, which found that 53% of digital medical devices and other internet-connected products used in hospitals had known critical vulnerabilities. The report also highlighted specific medical devices that are susceptible to cyberattacks, such as insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, and pacemakers. The FBI report stated that “malign actors who compromise these devices can direct them to give inaccurate readings, administer drug overdoses, or otherwise endanger patient health.”

President Joe Biden signed an extensive federal omnibus bill in December 2022, totalling $1.7 trillion, to counteract rising medical device cybersecurity concerns represented in these reports. As part of the bill, the FDA must update its medical device cybersecurity guidance at least every two years.

According to the new FDA guidance issued in late March 2023, all new medical device applicants will be required to submit a plan on how to “monitor, identify, and address” cybersecurity issues. These plans will require a provision of reasonable assurance that a device is protected against cyber threats. Additionally, applicants will need to make security updates and patches available on a regular schedule, provide the FDA with a software bill of materials, and include in documentation any open-source or other software their devices use.

The FDA cybersecurity guidance aims to address these concerns and improve the cybersecurity of medical devices. By requiring medical device manufacturers to create a plan to monitor, identify, and address cybersecurity issues, the FDA hopes to provide reasonable assurance that the devices are protected against cyber threats.

The requirement for security updates and patches to be made available on a regular schedule and in critical situations aims to ensure that any vulnerabilities that are discovered can be addressed promptly. By providing the FDA with a software bill of materials, medical device manufacturers can ensure that any open-source or other software their devices use is secure.

However, it remains to be seen how effective these new guidelines will be in practice. Cyber threats are constantly evolving, and medical device manufacturers will need to stay vigilant to ensure that their devices remain secure. Additionally, it is important to note that the new guidelines only apply to new medical devices. Many existing devices may still be vulnerable to cyber threats, and it is up to healthcare providers to ensure that they are protected.

In conclusion, the new regulations for medical device cybersecurity are a positive step towards improving the security of internet-connected devices used in healthcare. By requiring medical device manufacturers to create a plan to monitor, identify, and address cybersecurity issues, the FDA aims to provide reasonable assurance that these devices are protected against cyber threats. However, it is important to note that the guidelines only apply to new devices, and existing devices may still be vulnerable to cyber threats.

If you would like to learn more about medical device software development and medical device cybersecurity or how to ensure that you comply with new FDA guidance, schedule your free consultation with the HTD.