In response to a growing number of cyberattacks in the healthcare and life sciences industries, on Sept. 27, 2023, the U.S. Food and Drug Administration (FDA) released updated guidance regarding cybersecurity safety requirements for medical devices. This guidance outlines the FDA’s recommendations on improving the cybersecurity safety and effectiveness of medical devices in the premarket phase, replacing its 2014 “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” guidance.
This guidance applies broadly to all devices with cybersecurity considerations, including devices that have a software function, contain software or programmable logic, and are network-enabled. Importantly, this guidance also applies to devices that do not require a premarket submission, such as 510(k)-exempt devices. Practically, this includes everything from a programmable thermometer to an artificial intelligence-enabled diagnostic device.
Device manufacturers already are required to establish Quality Systems Regulation (QSR) metrics. To strengthen the QSR metrics, the FDA recommends implementing a secure product development framework (SPDF) to address cybersecurity risks. The FDA recommends that, among other things, the SPDF be incorporated at each stage of device development, and it should establish a security risk management plan that includes traceability documentation to demonstrate threat modeling, cybersecurity risk assessments, and maintaining a software bill of materials. SPDF use may reduce risk that device manufacturers will need to “re-engineer the device when connectivity-based features are added after marketing and distribution, or when vulnerabilities resulting in uncontrolled risks are discovered.”
Recently, the FDA acknowledged that artificial intelligence and machine learning (AI/ML) will play a critical role in medical device development, in part through cross-system integration. However, AI/ML remains largely unregulated as scientific advancement continues to outpace government oversight. The FDA recognizes that this rapid, unregulated expansion may create new cybersecurity risks and recommends that device manufacturers consider evaluating and enhancing cybersecurity systems at all touchpoints in the device life cycle.
Moreover, the FDA advises that device labeling should include an accurate description of the medical device’s cyber risks, but in a way that is easy to understand to the “average user.” This can be particularly challenging where the average user may be unfamiliar with technology generally. Failure to include proper cyber warnings on the label may render the device misbranded under Section 502(f), potentially leading to FDA enforcement actions such as fines, injunctions, civil penalties and criminal charges.
Investors in medical device and device-adjacent products and services should ensure that potential targets incorporate security-by-design and lifecycle security risk management into their go-to-market plan. Diligence should include evaluation of cybersecurity compliance throughout the entire process of device development, manufacture, sale and decommission. If medical devices interface with other systems, investors also should ensure targets have cybersecurity measures in place to prevent potential attacks from occurring at each touchpoint and via interconnected devices. Device operation continuity plans and disaster response plans are also critical to ensure device safety in the event of an intrusion or attack. Lastly, investors should ensure device manufacturers are prepared to address device labeling changes, as there may be particular challenges in describing risks and protections in a user-friendly manner.
McGuireWoods attorneys track updates in medical devices, digital health and cybersecurity. For more information on how this guidance may apply to you, potential implications or possible areas of concern, please contact the authors of this article.