On December 29, 2022, the Consolidated Appropriations Act, of 2023 was signed into law by the United States Congress. This massive, $1.7 trillion bill addresses a range of international and domestic issues and includes a new amendment to the FD&C Act in section 524B, Ensuring Cybersecurity of Medical Devices (section 3305). It impacts anyone seeking new FDA approval or making changes to nearly all premarket applications or submissions for a cyber device. FDA considers cyber devices to be any technology you’ve validated, connected to the internet, or that could be vulnerable to a cybersecurity threat. If part of your medical device powers up, performs a task, and collects data, it likely applies!
Contact our QMS development and compliance experts today at email@example.com.
There are 4 basic requirements in the law. We note that FDA didn’t include the last requirement in their March 2023 guidance document, but we’ll address it here just the same:
- Submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.
- Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components.
- Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cyber secure, and make available postmarket updates and patches to the device and related systems.
- Comply with other requirements to demonstrate reasonable assurance that the device and related systems are cyber secure.
The law and these requirements came into effect for all medical devices approved for use in the United States on March 29, 2023. FDA has said they will not “refuse to accept” new submissions between this date and October 1, 2023. But this doesn’t mean that you can ignore the law and file as you wish in Q3! Instead, FDA will likely send you home to revisit the requirements and update your submission to their satisfaction without penalty over the next 5 months. You should not expect FDA to issue prescriptive steps to take here, so make sure you have the right resources to address their concerns. After October 1, 2023, FDA will likely deem any 510(k) missing these requirements administratively incomplete and document the submission response accordingly.
In our opinion, the new requirements are not onerous and do enforce reasonable responses to known, tangible threats impacting all Internet of Things (IoT) devices. Other industries with far smaller impacts on human life and well-being have had more stringent controls in place for years, and proven security operations frameworks and technology exist to meet these requirements with minimal impact on existing quality systems. The QMS disciplines of Systems Development Lifecycle (SDLC), Continuous Improvement, and Incident and Supplier Management easily address the new requirements and are likely in place at any technology organization with a measure of maturity. If your organization isn’t quite there yet, it’s not difficult to comply!
Each of the 4 Sec 524B requirements should be simple to address if your organization follows an established medical device quality management system (QMS) such as ISO 13485 or 21 CFR 820. Being familiar with and completing Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms will also aid compliance. Adding in a few ISO 27001:2022 controls and processes will be the icing on the cake!
Provide a Software Bill of Materials (SBOM)
The majority of medical devices will employ a collection of homegrown, open-source, and commercial software components to provide services. Most will likely be cloud-based, and a few may run on private networks. These components will power mobile apps, interact with larger private and public data sources, and act on inputs to dispense medications, therapies, or diagnostic data. With a detailed and current SBOM, your organization can monitor cyber threat intelligence channels for exploits of your components, identify and address the risk of supplier updates to your device, and manage supplier concerns such as licensing, service delivery, and contracts. In addition to established ISO 13485 and 21 CFR Part 820 controls, we recommend a program to collect and respond to MDS2 forms for each supplier and follow ISO 27002 guidance for an asset inventory.
Submit a Plan for Cybersecurity of Medical Devices Vulnerabilities and Exploits
Once you’ve identified the SBOM components, or assets to your medical device that need protecting, you can create and submit a plan to monitor, identify, and address the threats and responses you’ll need to take when your device is threatened or compromised. Your plan should include how you’ll identify threats and vulnerabilities from both internal and external sources (testing, customer feedback, vendor updates). A documented and managed incident response plan must also include a Communications Plan that details who will communicate security incidents and events, and what they’ll say to your stakeholders. Outsourcing this process is not a get-out-of-jail-free card!
Design, Develop, and Maintain Systems Cybersecurity of Medical Devices Processes and Procedures
Both ISO 13485 clause 7 and 21 CFR 820 subpart C require the establishment of design controls and the development and maintenance of a Design History File (DHF) for your device, and any medical device with a technology component should include a Systems Development Lifecycle (SDLC). Updating and maintaining information security requirements, controls, documentation and testing/monitoring results is a reasonable way to address Sec 524B(b)(3). We also recommend including ISO27001:2022 controls 8.25-8.33 in your response to this law.
Update and Patch the Device and Related Systems
Once you’ve established the components required to operate your device in an SBOM, developed a plan to address cyber threats, and built an SDLC process to manage systems development, your program will generate actions requiring updates and patches to maintain a secure system. A mature SDLC will generate updates and patches based on the priority and severity of present threats and continuous improvements of the system. These updates and patches should be deployed by competent resources in a controlled manner and the changes communicated to all impacted parties.
Demonstrate Reasonable Assurance That the Device and Related Systems Are Cyber Secure
Lastly, FDA added a “catch-all” basket to Sec 524B. This requirement to demonstrate reasonable assurance that a device is secure seems to allow an investigator to call out observed discrepancies or advances beyond the specific wording of the law. It also allows them to ask how you know your processes and procedures are effective at protecting your device from vulnerabilities and exploits. Effective controls to address this requirement would be measuring and monitoring your process controls, internal auditing, and protective security measures such as responsive product testing including API security, network scanning, penetration testing, and disaster recovery testing.
By addressing the new Sec 524B requirements with an established medical device quality management system such as ISO 13485 or 21 CFR 820 and cross-referencing applicable controls in compatible cybersecurity of medical devices management systems, your organization should have confidence that compliance with the new law is both practical and obtainable.
Dayspring Technology is a Life Sciences and Infosec Consultancy trained and certified to implement and audit ISO 13485, ISO 27001, and ISO 27701 systems. We are experienced QMS development and compliance experts. Contact us today at 844.437.7789 or email firstname.lastname@example.org.