The Evolving Landscape of Medical Device Cybersecurity Regulations

A medical device company’s management of its products’ cybersecurity has been a significant expectation among regulatory authorities for many years.

To help with that in the US, FDA published its first guidance on medical device cybersecurity in 2005. It covered Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software.

This was followed in 2014 with guidance on Content of Premarket Submissions for Management of Cybersecurity in Medical Deviuidance on Postmarket Management of Cybersecurity in Medical Devices. Although useful, the recommendations from these documents have been judged to be insufficient and not very rigorous.

However, since passage of the 2023 US Government Consolidated Appropriations Act and FDA’s 2023 updated guidance on Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, the cybersecurity bar has been raised. The 2023 premarket guidance replaces the 2014 premarket guidance, which had been updated in draft forms in 2018 and 2022.

Over the years, FDA’s premarket guidance went through a significant evolution from the somewhat limited 9-page 2014 document to the now comprehensive 57-page 2023 guidance.

The 2023 Consolidated Appropriations Act transitioned what has historically been a less formal “recommendations” approach in FDA’s guidance on medical device cybersecurity to statute-based requirements or law through passage of the Act.

For example, by law, Section 3305 of the Consolidated Appropriations Act requires that the sponsor (e.g., a medical device company) of an application or submission (e.g., a 510(k) premarket submission) shall:

1. Submit a plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
2. Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address:
   • On a reasonably justified regular cycle, known unacceptable vulnerabilities
   • And as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks
3. Provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components; and
4. comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cyber-secure.

Global Shift Towards Strengthening Medical Device Cybersecurity

Particularly notable in the Consolidated Appropriations Act are the requirements for the post-market cybersecurity plan and the software bill of materials, which have historically not been emphasized in US regulatory submissions. These require major effort from the earliest stages of a medical device’s development. Also, from the 2023 premarket guidance, premarket submissions will now need to include results from penetration testing and threat modeling exercises, which also involve substantial effort and cost.

Higher expectations for cybersecurity are not just limited to the US. The EU’s 2022/2555 Directive on the Security of Network and Information Systems (“NIS2”) now mandates cybersecurity risk management measures and reporting requirements for manufacturers of medical products, including chemicals (APIs), pharmaceuticals, and medical devices.

Similar to the US, Australia’s Therapeutic Goods Administration’s 2022 Medical device cyber security guidance for industry calls for a total product lifecycle (TPLC) approach to managing cybersecurity. It also calls for penetration testing and threat modeling as part of a device’s risk management/assessment process.

And Singapore announced in 2022 that it plans to deploy a Cybersecurity Labelling Scheme for Medical Devices - CLS-MD. The labeling scheme is currently in a “sandbox” or trial period. The scheme is based on medical devices being rated according to four levels of cybersecurity provisions and assessments.

The cybersecurity label for medical devices would provide an indication of the level of security in medical devices. Although currently voluntary, this new scheme demonstrates the Singapore government’s serious concern with medical device cybersecurity.

In addition to the examples above there is lots of heightened awareness about the need to keep medical devices “cyber safe” around the world, including global initiatives from the International Medical Device Regulators Forum to produce excellent technical documents on Principles and Practices for Medical Device Cybersecurity, Principles and Practices for the Cybersecurity of Legacy Medical Devices, and Principles and Practices for Software Bill of Materials for Medical Device Cybersecurity.

If you are developing or already have a medical device with software, especially if the device can be electronically connected to other devices or to a network then you need to take cybersecurity seriously and fully understand the cybersecurity requirements and expectations in whatever region you are or will be selling to. If you would like support with navigating your global cybersecurity compliance, please feel free to reach out to Pure Global for assistance.