Manufacturers in any industry often seek regulations as barriers or obstacles. They may add costs to production or layers of oversight. Those are usually not palatable to business, but in medical device cybersecurity, these rules are much more than red tape.
The Food & Drug Administration (FDA) recently revised its guidance on cybersecurity for medical devices. This marks the second time they’ve done so in the last three years. It may seem frequent, but the reality is that cybersecurity evolves and changes daily, ushering in new threats.
The current FDA recommendations are trying to “future-proof” for risks and vulnerabilities that are intrinsic to connected medical devices.
Let’s look at why these rules actually help manufacturers, instead of prohibiting them.
Why Did the FDA Issue New Guidance So Soon?
In 2023, the FDA became the legal authority to enforce cybersecurity in medical devices. They then issued guidance relating to what the premarket submission should contain in terms of security. It allows the agency to refuse approvals if certain things aren’t in place, like the software bill of materials (SBOM) or a program for patching and updating devices.
Since that time, the FDA and industry have been able to analyze those suggestions for cybersecurity. Additionally, cyber criminals have developed more sophisticated attacks and continue to target healthcare.
A re-evaluation with some more robust controls came out of this time period to become the 2025 guidance now on the table.
How Challenging Is the New Guidance for Manufacturers?
Manufacturers have a heavy burden, but it does not come without reward. By embracing secure by design, being proactive about device changes and the updates required, and using a framework like ANSI/AAMI SW96, organizations have greater protection from risk.
Hacked devices could result in noncompliance fines, reputational harm, and lost trust by providers. It can be a financial and organizational collapse. When manufacturers follow the FDA guidance and even go beyond it, cybersecurity becomes part of the entire lifecycle of the device.
What Are the Most Important Aspects of the FDA Submission Related to Cybersecurity?
The new medical device cybersecurity practices cover many areas of risk. All areas have importance, and companies should start the process with a complete cyber risk assessment. You can’t effectively create a submission without this. Knowing the potential vulnerabilities allows for proactive cybersecurity.
Following a secure development practice also guides submissions. The third most crucial is the SBOM. Manufacturers should start the SBOM at the development phase to ensure an accurate picture of all software code that’s part of the device.
How Can Stakeholders Within Manufacturing Companies Best Collaborate on Medical Device Cybersecurity?
Three groups have a stake in medical device cybersecurity: software, hardware, and regulatory/compliance teams. Each must work together to deliver a product that works and is secure. While simple in statement, it’s, of course, quite complex.
Each of these stakeholders must collaborate from the start so that the right inputs and perspectives get proper consideration. Hardware and software have expertise in those fields and need regulatory and compliance experts to define how each should contribute to security.
A cohesive strategy and approach ensure that manufacturers heed the FDA guidance and can put it into practice.
Challenges Will Arise, and Manufacturers Can Resolve Them with Help
Development does not have to go off course because of security requirements. They can work in parallel, but problems can and will pop up. Even with in-house expertise, you may still be lacking in connecting all the dots of cybersecurity.
You can avoid challenges with support from a team of medical device cybersecurity professionals like Blue Goat Cyber. Contact us today to learn more.