What Are The Requirements For A Cyber Device In The Medical Industry?

access_timeSeptember 26, 2023
by  Michelle Bonn
Medical Device Cybersecurity


In a previous article, I explained that cybersecurity attacks in healthcare are increasing with regular frequency, and that the FDA issued two guidance documents which summarize the FDA’s thinking on what constitutes a full, risk-based, lifecycle approach to cybersecurity defense in a medical device. These guidances are not a supplement to FDA requirements for data integrity; nor are they an extension of 21 CFR Part 11, but these cybersecurity guidances are intended to protect medical device users and operators.

A new law was passed on December 29, 2022; the Consolidated Appropriations Act, 2023 (the Act), which contains the Food and Drug Omnibus Reform Act (FDORA). FDORA includes numerous improvements and modifications to modernize the regulation of medical products and foods.  While FDORA is broad-sweeping, the focus of this article is on the cybersecurity requirements for submission of a “cyber device” via 510(k) or PMA.

What Is A Cyber Device?

To promulgate the new law as it applies to cyber devices, the FDA published a new guidance on March 30, 2023, Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act; Guidance for Industry and Food and Drug Administration Staff.

In this new guidance, the FDA identified a working definition of a Cyber Device, which is essentially any Internet-enabled medical device containing software that may be vulnerable to cybersecurity threats.  The definition is not limited to Software as a Medical Device (SAMD) and the guidance provides greater detail of this definition of a cyber device.

Requirements For A Cyber Device

The previous guidance documents introduced a concept of a Cybersecurity Bill of Materials (CBOM), which lists all open source, off-the shelf, software and hardware components, whether commercially available or not, which could become subject to vulnerabilities.

As of March 29, 2023, the FD&C Act includes Section 524B, titled “Ensuring Cybersecurity of Devices,” which outlines key requirements that medical device manufacturers must follow. These include the following:

  • Determine if you have a cyber device where software is validated, installed, or authorized by the manufacturer as a device or in a device. Essentially, this connects to the internet, as mentioned above, and contains unique characteristics that could be vulnerable to cybersecurity threats.
  • If you have any submissions or applications that are considered a cyber device take note that it then becomes subject to the section’s cybersecurity requirements.
  • Manufacturers must be able to prove that the device is cybersecure and the cyber device can be updated and patched to address unacceptable or critical vulnerabilities.
  • Manufacturers must provide documentation like an SBOM for commercial, open-source, and off-the-shelf software components.

Quality Management System For Cybersecurity

To properly support medical device cybersecurity, the firm’s Quality Management System (QMS) must be integrated to ensure medical device cybersecurity, as this is a risk-based activity, like all other activities taking place within the medical device QMS.

The QMS assures that cybersecurity includes a framework, which may be implemented in the organization’s quality manual or other high-level policy, a risk management process, a post-market surveillance program expanded to evaluate hazards arising from cybersecurity threats, and training to ensure awareness of the program and the impact of poor cybersecurity on safe and effective use of the cyber device.

FDAs Right To Refuse To Accept

In the new guidance promulgated from FDORA, the FDA asserts its right to Refuse to Accept (RTA) a marketing clearance submission if it is determined that the above cybersecurity safety elements were not addressed in the submission (510(k), PMA, or De Novo).  The FDA is approaching this change gradually, to allow industry, and FDA reviewers to adapt.

Until October 1, 2023, this requirement is under a modified “enforcement discretion,” in which the FDA intends to collaborate with sponsors through the use of interactive and/or deficiency reviews.  After October 1, 2023, the FDA will fully implement this guidance, and will refuse marketing applications that fail to meet the requirements.

Do You Have A Cyber Device?

If your new device meets the requirements of a “cyber device,” we encourage you to prepare to answer questions relating to cybersecurity in the submission.  If you find yourself overwhelmed by the requirements, please follow up with Compliance Team.  We have helped many clients through similar obstacles, and we know that we can help you too