New Cybersecurity Requirements in the US

Resources

New Cybersecurity Requirements in the US

Authors: Helen Simons

Cybersecurity is a key consideration in today’s market for medical device manufacturers and other industries. I have previously written about the FDA’s expectations for cybersecurity documentation for medical device submissions, and spoken about this topic at Medical Device Playbook Toronto.

Recently, we became aware of new cybersecurity requirements that are coming into effect in the US for medical devices which are considered “cyber devices”. The US government define a cyber device, a device that:

  • includes software validated, installed, or authorized by the sponsor as a device or in a device;
  • has the ability to connect to the internet;
  • contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.

This is all the more interesting as these new requirements have not yet been communicated directly from the FDA or widely discussed within the industry news. I wanted to share this information with our readers so that you too can be aware of it and proactively prepare for this change.

For those in industry currently preparing submissions, this is a hot topic. You’ll want to ensure that the right documentation is generated and provided as part of the submission to avoid additional information requests and delays in the submission process.

New Requirements:

On December 21, 2022, the US government approved an omnibus bill1 (”Consolidated Appropriations Act, 2023”), which was predominately about ensuring funding for government activities through to September 2023, but also includes a subsection addressing the FDA’s control of medical device cybersecurity.

This bill comprises a staggering 4,155 pages, and hidden amongst them, on page 3,537, is the section of key interest, which identifies a set of cybersecurity requirements, the government expects to receive from anyone submitting an application or submission under sections 510(k), 513, 515(c), 515(f), or 520(m) in relation to the Food, Drugs and Cosmetics Act. This means that anyone who is submitting a medical device for approval or clearance under the IDE, 510(k), De Novo or PMA pathways is now required to provide the following:

  • (b) CYBERSECURITY REQUIREMENTS—The sponsor of an application or submission described in subsection 3
    • (a) shall—
      • (1) submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
      • (2) design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address—
        • (A) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and
        • (B) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;
      • (3) provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components; and
      • (4) comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.

It also states that these additional requirements will come into effect 90 days from the date of enactment of this Act, which puts the compliance date at March 21, 2023.

Conflicting Information

Currently, as detailed in our whitepaper FDA Cybersecurity Draft Guidance, the applicable final guidance from the FDA is outlined in Content of Premarket Submissions for Management of Cybersecurity in Medical Devices dated 2014. However, in 2022, the FDA published an updated draft guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, which significantly expands on the expectation for cybersecurity activities and documentation. The 2022 version is understood to be the current thinking on this topic from the FDA, while the 2014 final guidance is the one currently in effect and under enforcement.

The FDA did confirm that they are intending to finalize the 2022 draft guidelines this year when they communicated their target guidances to prioritise in 2023 (CDRH Proposed Guidances for Fiscal Year 2023 (FY2023) | FDA), however we have yet to see any specific publication dates or details about the extent of the edits or how the final guidance will be revised as compared to the 2022 draft.

The obligations outlined in the omnibus bill fall half-way between the 2014 and 2022 versions of the guidance, with the obligations being expanded from those currently under enforcement but not as extensively as those outlined in the 2022 draft.

The post-market plan and the processes and procedure aspects are partially covered by the current final guidance but not explicitly word for word. The addition of a software bill of materials (sBOMs) is new to the current final guidance but is covered in the 2022 draft guidance. The last requirement appears to be a catch-all statement allowing the FDA and relevant governmental bodies to adapt to best practices as required.

The FDA recommends use of the eSTAR package for submissions to ensure the correct content is provided. The current template, version 2-2, only requests the following documents in relation to cybersecurity: risk management file(s), cybersecurity management plan or plan for continuing support, and a reference to cybersecurity content within the labelling. We should expect this template to be updated to reflect any additional requirements.

The bill does explicitly mention the guidance entitled ‘‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’’ (or a successor document) and the FDA obligations to review it and keep it up to date with feedback from “device manufacturers, health care providers, third-party-device servicers, patient advocates, and other appropriate stakeholders.” But the time limit on this aspect of the bill is not later than two years which conflicts with the 90 day expectation.

Remaining Questions

This is where we come to the crux of the issue, how does industry respond to these conflicting requirements?

The bill states that the FDA should provide resources no later than 180 days after the act coming into force, including updating the FDAs website on cybersecurity. But again, this comes after the deadline for industry.

We will have to wait to see when this gets officially communicated to industry either by an update to the guidance or by other means. Hopefully this will soon happen to bring clarity regarding these expectations.

1 An omnibus bill is a proposed law that covers a number of diverse or unrelated topics Omnibus bill – Wikipedia

Image: CanStock Photo

Helen Simons is a Quality Assurance Manager at StarFish Medical. Helen’s education is in Mechanical engineering, with a background of product development and QMS development across multiple industries with consumer and industrial products to medical devices, IVD and combination devices.