As connected medical devices become a larger part of the healthcare landscape, the threat of cyberattacks grows. Manufacturers in this category have many regulations they must keep in mind. The FDA (U.S. Food and Drug Administration) oversees all these rules, and they’ve made cybersecurity and medical devices a key priority.
While some requirements were in place, they became more stringent in 2023. The FDA issued new rules regarding cybersecurity by updating Section 524B of the Food, Drug, and Cosmetic Act (FD&C Act). The change now includes mandatory information in submissions relating to four core cybersecurity requirements. Enforcement of this began on October 1, 2023.
These new rules, along with existing ones, create a complex backdrop for manufacturers eager to both comply and get their devices to market. As a cybersecurity firm specializing in cybersecurity and medical devices, we’ve compiled this list of everything you need to know.
Updated Section 542B of the FD&C Act Explained
The FDA updated the provision in the FD&C Act, in fact, due to heightened threats and vulnerabilities regarding medical devices. The FBI’s report on this issue stated that 53% of digital medical devices had critical vulnerabilities. Most of these fell under unpatched and outdated devices. Additionally, research found 993 vulnerabilities in medical devices, a 59% increase from 2022.
Under pressure, and rightfully so, the FDA decided to get serious about cybersecurity and medical devices. The updated 542B has four requirements:
- Manufacturers must submit plans for tracking and addressing cybersecurity issues once the device is on the market.
- Companies must implement internal controls to verify that patches and updates are available after identifying vulnerabilities.
- Manufacturers must develop an SBOM (software bill of materials) as part of their FDA filings that outlines all software components.
- Medical device manufacturers must also adhere to rules regarding cybersecurity not yet created by the FDA.
The FDA states these rules apply to “cyber devices,” which have software, can connect to the internet, and could have vulnerabilities subject to cyber threats.
So, how do you comply with these requirements? Let’s get into the details.
Key Actions to Comply with 542B
Your FDA submissions are now much more complex and detailed. Working on these and getting them right the first time will require working with a cyber firm with medical device security experience. Here are the compliance activities we’re helping our clients with so they can meet FDA medical device cybersecurity mandates:
Medical Device SOUPs
Any medical device manufacturer uses SOUPs (software of unknown pedigree). These are external, open-source code libraries that have unknown security. The reason companies use them is because they save time and money. However, they do come with risks. You’ll need to compile your SOUPs to create your SBOM.
Medical Device SBOM
An SBOM is a document that lists any software used in the device, dependencies, and metadata. Think of it as an inventory list. It must be complete and accurate. Typically, this list consists of:
- Open-source and third-party software elements (your SOUPs)
- Binaries and firmware
- Cloud resources
- APIs (application program interfaces) that the device networks with or sends data to
Under the new guidelines, your FDA application must include an SBOM. Prior to this, you may have previously submitted these but without this level of detail. The SBOM has to address your ability to monitor, identify, and remediate cybersecurity weaknesses in your devices. Additionally, you’ll need to define the steps to push out software patches once they are in use.
The FDA also expects you to outline your policies and testing protocols for assessing:
- Risks related to confidentiality, integrity, and availability
- System entry points
- Existing controls
- Data flows
Creating an SBOM in 3 Steps
When working with our medical device clients, we provide them with a SOUP analysis and SBOM to submit to the FDA. We do this by taking these steps:
- Analyze: We assess external source security to identify outside components used in the development environment. It can be cumbersome, depending on the complexity of the landscape. Our approach is to standardize documentation to always be current and accurate.
- Track: Next, we help you build a tracking program for use during the development and run time to ensure proper completion. We look for calls to external sources and trace them. It can involve a comprehensive list of code.
- Reiterate: The last step is like a loop because SBOMs aren’t a one-time exercise. Any time you make a major adjustment or add new elements, you must update your SBOM. Doing so supports ongoing compliance. Just because your device doesn’t have significant changes doesn’t mean you shouldn’t do these regularly.
The addition of the SBOM illustrates the FDA’s new approach to medical devices and cybersecurity as one that’s proactive. It also makes good sense for your business to have this mindset. You can find more tips on SBOMs in the FDA resource.
Beyond 542B, there are more things to know about medical device cybersecurity.
Premarket Notification 510(k) Submissions
The Premarket Notification 510(k) requires manufacturers to submit documentation that demonstrates the devices are safe and effective. It’s a substantial equivalent (SE) to a legally marketed device.
This requirement existed before the 542B update. Revisiting in light of these changes is worthwhile. It’s also something we help medical device companies create. The process starts by comparing the new device with one already approved by the FDA. The FDA has the power to designate a device SE, and you cannot move forward without this.
A device qualifies as an SE if, when assessed to a predicate, it has either of these characteristics:
- The new device has the same intended use and technological characteristics as a predicate.
- The new device has the same intended use with different technical attributes but doesn’t raise further questions on safety and effectiveness, and the submission to the FDA exhibits that the device is safe and effective.
While 501(k) submissions aren’t new, they have changed with the updates to 542B. They now must include the following:
- Cybersecurity requirements for products meeting the definition of a “cyber device”
- Submission of your process to monitor, identify, and address cybersecurity vulnerabilities after FDA approval
- Details of your cyber-secure program, encompassing patching and updates accessibility and your SBOM
Failure to include this could result in the FDA kicking back your 510(k) submission. The cause of the rejection can vary and may include:
- Insufficient descriptions
- Discrepancies in the submission
- Issues with usage indications
- Testing being incomplete
- Not following FDA standards
- Missing or incomplete clinical data
To avoid this, you should work with medical device and cybersecurity experts.
Now that we’ve reviewed the rules let’s review how pen testing supports compliance with them.
The Role of Pen Testing in Cybersecurity and Medical Devices
A critical piece of your cybersecurity strategy should be penetration testing. These exercises simulate cyberattacks to help you understand all the exploitable vulnerabilities in your devices. Those conducting them use the same techniques as real hackers, so it’s a real-world scenario that enables you to address vulnerabilities before cybercriminals can leverage them.
Our medical device pen testing involves four phases:
1. Pre-Test Prep
In the initial step, our experts complete discovery to understand all available information about your devices. We look at design documents, data flow diagrams, use cases, security architecture, manuals, install procedures, source code, and more.
The goal is to familiarize ourselves with your product and devise a plan for the pen test.
2. Testing
Next is the testing, which can occur at your facility or remotely. Testing procedures include:
- Identification of all entry points into the system
- Vulnerability assessments of each entry point
- Exploitation of initial and subsequent issues
If we find a critical vulnerability during this step, we immediately bring it to your attention, regardless of whether the complete pen test is over.
3. Reporting
After the pen test, we produce a report outlining all issues identified. Each issue has a rank of priority. It also includes a detailed view of exploitation steps, screenshots, and remediation guidance for each. We review all this with you in a meeting where you can ask questions.
4. Retesting
From the report, you’ll begin work on fixing all the problems. When you complete this, it’s time to retest to ensure they were applied appropriately. We’ll go back through testing and create a Letter of Attestation. It documents the pen testing scope, findings, and rating for the medical device. You can use this to verify your products’ security, sharing it with clients, auditors, and regulators.
What’s Next for Medical Devices and Cybersecurity?
The new regulations have only been in place for a few months. Industry experts expect these requirements will shape their future policies on security and compliance. As healthcare becomes more connected, the use of medical devices will increase as a way to expand care and improve clinical outcomes. However, all the good they can bring must balance with the need for these products to be secure. We’ll continue to cover this topic and its developments.
Schedule a discovery call with us today if you’d like to learn more about how we can help.
