When we looked at cybersecurity and medical devices last fall, the Food and Drug Administration (FDA) did not have express federal statutory requirements for medical device manufacturers regarding cybersecurity. However, it is clear that there are real dangers. In September 2022, the Federal Bureau of Investigation (FBI) reported that as of January 2022, 53% of connected medical devices and other Internet of things (IoT) devices in hospitals had known critical vulnerabilities. According to industry research shared by the FBI, approximately one-third of healthcare IoT devices have an identified critical risk potentially implicating technical operation and functions of medical devices.
The FBI also cited findings from a 2022 report conducted by a healthcare cybersecurity analyst stating that insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps are among the medical devices susceptible to cyber attacks. The devices can be compromised to deliver inaccurate readings, administer drug overdoses, or endanger patient health in other ways. Given the dangers posed by cybersecurity breaches in medical devices, legislators and regulators alike have taken steps to establish requirements for device safety.
Section 3305 of the Consolidated Appropriations Act, 2023, which was passed in December 2022, specifically addresses the cybersecurity of medical devices and added a new section to the Federal Food, Drug, and Cosmetic Act (FD&C Act), Ensuring Cybersecurity of Devices. This amendment authorizes the FDA to establish cybersecurity requirements for internet-connected medical devices and lays out the first of those new mandates.
The revised FD&C Act defines a “cyber device” as a device that “includes software validated, installed, or authorized by the sponsor as a device or in a device; has the ability to connect to the internet; and contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.” Medical devices that do not meet that definition do not have to comply with the new cybersecurity regulations, though device manufacturers are encouraged to contact the FDA if they are unsure of their device’s classification.
Once sponsors confirm that their device is a cyber device, they must undergo certain steps to meet the new cybersecurity requirements. One of these provisions is to submit a plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits. Because of the dynamic nature of cyber threats, the initial plan is not enough. Manufacturers are also required to design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and any related systems are cybersecure. In addition, they must make postmarket updates and patches available to address device vulnerabilities as needed. If a vulnerability is identified, manufacturers must act and address the issue as soon as possible.
The FDA is providing a transition period until October 1, 2023, during which it will work collaboratively with submission sponsors through the review process for these new provisions instead of refusing to accept premarket submissions for cyber devices that do not comply. It also published Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under section 524B of the FD&C Act in March 2023 to offer additional guidance.
After the transition period is over, device approval may be delayed or denied if the FDA does not feel the manufacturer has demonstrated the adequacy of its cybersecurity safeguards.
Another new requirement is the need to provide a software bill of materials (SBOM) which details all commercial, open-source, and off-the-shelf (OTS) software used in the medical device. The SBOM will help regulators better understand how the device works and identify potential vulnerabilities.
Under the new rule, non-compliance with any medical device cybersecurity requirement is a civil offense under the FD&C Act. Companies can face penalties of up to $15,000 for each such violation and $1,000,000 for all such violations adjudicated in a single proceeding.
It is worth noting that the FDA’s position is that both medical device manufacturers (MDMs) and health care delivery organizations (HDOs) have a role in ensuring the appropriate cybersecurity safeguards are in place for medical devices.
According to the agency, MDMs are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity. HDOs should evaluate their network security and protect their hospital systems. It recommends that both entities take appropriate steps to mitigate patient safety risks and ensure proper device performance.
However, the FDA does make it clear that MDMs are responsible for premarket testing to ensure that medical devices are cybersecure. In addition, if MDMs use OTS software in their medical devices, it is up to the MDM, not the software manufacturer, to make sure the third-party software is secure and will not compromise the safe and effective performance of the medical device.
And the FDA isn’t the only agency focused on cybersecurity of medical devices. In May 2023, the Federal Trade Commission (FTC) requested public comments for proposed changes to the Health Breach Notification Rule (HBNR).
The FTC’s proposed changes include revising several definitions to clarify the rule’s application to health apps and similar technologies not covered by the Health Insurance Portability and Accountability Act (HIPAA); clarifying that under the rule a “breach of security” includes an unauthorized acquisition of identifiable health information as a result of a data security breach or an unauthorized disclosure; authorizing the expanded use of email and other electronic means of providing clear and effective notice of a breach to consumers; and expanding the required content that must be provided in the notice to consumers.
The draft bill could create more risk for certain companies, including developers of health and wellness apps and connected devices, especially those that use trackers for advertising purposes. They should evaluate their operations to ensure they are in compliance with the HBNR.
Legal experts with DLA Piper note another vulnerability. The proposed rule’s breach notification provisions would require covered entities to detail how consumers could be harmed by the breach. This change could increase the risk of breach class action lawsuits for these types of companies.
Along with the FDA and FTC, the U.S. National Institute of Standards and Technology (NIST) is also focused on improving cybersecurity. The agency released its draft NIST Cybersecurity Framework 2.0 (the Framework) on August 8, 2023. The Framework provides standards, guidelines, and practices to help organizations better manage and reduce cybersecurity risk.
In May 2017, Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, made the Framework mandatory for U.S. federal government agencies. In addition, several federal, state, and foreign governments and some insurance organizations mandate the use of the Framework for specific sectors or purposes. Some organizations may also require use of the Framework for their customers or within their supply chain. It is unclear if medical device companies working with government agencies will be required to comply with the new Framework once it is finalized and adopted. Even if it isn’t mandatory, reviewing the best practices outlined as part of a MDM’s own assessment of their cybersecurity plan would be a wise step to take.
The FDA acknowledges that threats and vulnerabilities for connected medical devices cannot be eliminated and that reducing cybersecurity risks is especially challenging. This is particularly true as medical devices become increasingly connected to the internet, hospital networks, and other medical devices. These technologies can improve healthcare and increase the ability of healthcare providers to treat patients, but they also present potential cybersecurity risks.
Regulators, healthcare providers, and medical device manufacturers have to work together to leverage the power of innovation while also keeping patients and the public safe.
Chris Harvey is senior vice president of client services at Sedgwick. With more than 18 years’ experience, he is recognized as an expert in the recall industry and routinely speaks on best practices at trade shows, conventions, and conferences. Throughout his career, Chris has managed more than 1,500 recall and in-market remediations, including hundreds for the largest U.S. and global brands. He also serves on the board of directors of the International Consumer Product Health and Safety Organization (ICPHSO) and is presently service as Vice President on ICPHSO’s Executive Committee.