Countdown to Safer Medical Devices

A six-month clock started ticking late last year, counting down to the FDA’s new deadline for updating its public-facing guidance for improving the cybersecurity of medical devices. This requirement became law on Dec. 29, 2022, as part of a $1.7 trillion Omnibus Appropriations Bill that also includes new rules for submitting applicable medical devices to the FDA that “meet cybersecurity requirements” as defined in the bill.

What does this mean for medical device manufacturers? Since 2014, the FDA has released non-binding guidance and recommendations on the cybersecurity of medical devices. But when the new rules go into effect, any submission of a pre-market cyber device to the FDA must, per the H.R. 2617-1375 bill (page 1,375):

1. Submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
2. Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available post-market updates and patches to the device and related systems to address— a) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and b) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;
3. Provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components; and
4. Comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.

The new bill also authorizes the FDA to draft regulations containing additional requirements that “demonstrate reasonable assurance that the device and related systems are cybersecure.” Given that the bill became law in December, 2022, the requirements above could be in force as early as March, 2023 (or, 90 days after enactment).  Further, by  June, 2023 (or, 180 days after enactment), the FDA also must share updated public-facing guidance regarding improving device cybersecurity. The FDA  will also need to update its existing ‘‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’’ every two years.  

These developments come on the heels of a September 2022 FBI Private Industry Notification in which the FBI said there were known critical vulnerabilities in more than half of connected medical devices and other internet of things (IoT) devices in hospitals, such as insulin pumps, intracardiac defibrillators, mobile cardiac telemetry and pacemakers. These and other devices can be hacked and directed to do everything from providing inaccurate readings to administering drug overdoses or otherwise endangering patient health.

The FBI report also includes excellent recommendations for ensuring that devices are designed with security in mind, rather than assuming that these products will not be exposed to security threats. You can learn more about how Thirdwayv helps medical device manufacturers adhere to the most recent FDA requirements through our multi-layered approach to security.  Thirdwayv has already helped customers meet the IEEE 2621 standard for wireless diabetes device security. Issued in May 2022, IEEE 2621 is based on the Diabetes Technology Society’s “Standard for Wireless Diabetes Device Security” (DTSec) cybersecurity assurance standard and program, and is built into market-leading solutions for Automated Insulin Delivery (AID) systems that utilize Insulin pumps and Continuous Glucose Monitors (CGM). This type of solution is enabling tens of thousands of diabetes patients and their families to live better lives without compromising their cybersafety.  Lastly, while the standard calls out diabetes devices specifically, the cybersecurity aspects of the standard can greatly help all connected medical devices from becoming more immune to cyber threats.

We applaud the passage of this bill and hope that it leads to strong additional measures from the FDA. It is a first, foundational step toward ensuring that no patients who benefit from the use of connected medical technologies such as remote monitoring or drug delivery devices also need to worry about harm caused by potential hackers of these same technologies.