A former FDA reviewer shares insights into the depth and breadth of FDA cybersecurity deficiencies that could sink your device.
Naomi Schwartz, Medcrypt
[Image by Angelov via Stock.Adobe.com]
As of Oct. 1, 2023, the FDA enacted its Cybersecurity Refuse to Accept (RTA) policy, turning away any medical devices that do not meet its premarket and postmarket cybersecurity guidance. And earlier, in June 2023 the FDA released final guidance about the Electronic Submission Template and Resource (eSTAR) program which requires all relevant cybersecurity information to be completed, effectively signaling a new era of regulatory accountability.
With the FDA’s increased cybersecurity authority and resulting enforcement, medical device manufacturers must now comply with FDA mandates. In years leading up to recent regulations, the FDA used a more idiosyncratic and educative carrot approach, providing guidance and assistance to industry stakeholders, which sometimes led device manufacturers to overlook or interpret cybersecurity measures ambiguously. However, the current enforcement strategy represents a shift to the stick approach, underlining the FDA’s commitment to patient safety and the mitigation of cybersecurity risks. This strategy also aims to ease the burden on individual reviewers by providing systemic support for security assessments.
Noncompliance with FDA cybersecurity requirements can have consequences, including delays in market entry, reputational damage, and enforcement actions. Deficiency letters targeting cybersecurity vulnerabilities in medical devices are a vital part of the FDA’s cybersecurity strategy, prompting organizations to prioritize compliance and strengthen their products against potential threats.
Compliance with FDA cybersecurity requirements is not just a matter of regulatory adherence but also a crucial aspect of business success, maintaining stakeholder trust, and ensuring patient safety.
Secure by design
The FDA’s increased scrutiny of secure design for medical devices has prompted a wave of accountability within the industry. This heightened focus was evident in March’s introductory measures when the U.S. Department of Health and Human Services (HHS) secretary announced that devices must meet cybersecurity criteria for approval, followed by October’s implementation of new guidance clarifying expectations set in the PATCH Act.
Central to the FDA’s approach is the emphasis on lifecycle management. Companies must now provide comprehensive documentation demonstrating their adherence to cybersecurity guidance throughout the premarket and postmarket phases. The FDA evaluates not only the end product but also the framework and software development practices employed by manufacturers.
For companies navigating this maturing landscape successfully, it is essential to adopt key elements of a more robust software development process. FDA’s focus is on a Secure Development Lifecycle (SDLC), which includes integrating cybersecurity considerations from the project’s inception, conducting thorough threat modeling, and comprehensively documenting cybersecurity risk management plans.
Failure to design products with adequate cybersecurity measures can lead to FDA repercussions, including rejection of submissions such as “Not Substantially Equivalent” (NSE) for 510(k) or “Not Approvable” (NOAP) for premarket approval (PMA). Noncompliance may stem from devices not meeting cybersecurity standards outlined in section 524B of the FD&C Act or lacking sufficient cybersecurity information on product labels, potentially leading to misbranding. The FDA will address such noncompliance through deficiency letters outlining specifics on why a device failed to meet the requirements. In the event of a postmarket cybersecurity device failure, FDA may issue a warning letter.
Beyond regulatory implications, any security incident of fielded medical devices, a data breach, an entry point for a cyberattack, or even a patient safety incident can result in significant financial setbacks for the manufacturer as it results in loss of customer trust and negative effects on the company brand. Strong cybersecurity practices are crucial in safeguarding a company’s business, enhancing its reputation, and gaining the trust of investors and stakeholders.
Vulnerability Management Plan
In today’s regulatory environment, a robust vulnerability management plan addressing both premarket and postmarket is essential for ensuring the security and integrity of medical devices. Top management needs to take the lead in identifying process gaps that need to be addressed. This includes making sure they have a framework in place that meets regulatory standards.
Research and development teams play a key role by employing trained cybersecurity professionals to effectively manage risks, identify potential threats, and thoroughly assess third-party software for issues.
Effective cybersecurity management goes beyond safeguarding sensitive information; it’s about maintaining trust and positioning your company as a market leader. Proactive cybersecurity measures have been proven to be more cost-effective than reactive ones, making them a wise investment for any organization. However, traditional enterprise cybersecurity isn’t enough in today’s expanding connected product universe.
Companies must assess their device’s current security posture and create a tailored plan, including an effective postmarket surveillance plan that involves gathering a variety of vulnerability information and learning from past incidents to enable continuous improvement. This includes regular updates, vigilant patch management, and the implementation of continuous monitoring systems. These practices form the foundation for preventing and mitigating cybersecurity threats.
Executives should allocate a budget for cybersecurity during the development phase to avoid delays and potential FDA enforcement action. Additionally, publicly traded companies must meet SEC expectations for managing cybersecurity risks and reporting incidents. Staying informed about industry standards and proactively complying with regulations are crucial for navigating this evolving regulatory landscape.
Verification and validation
Cybersecurity-specific verification and validation is another set of critical activities for ensuring the safety and reliability of medical devices amid evolving regulatory requirements. Testing confirms that a device meets specific requirements and operates securely in its intended environment, helping identify and mitigate potential cybersecurity risks before the device reaches the market.
Recent changes, including the 510(k) eSTAR requirement, intensify pressure on device manufacturers to ensure the adequacy of their cybersecurity measures. Without the necessary documentation, device manufacturers cannot submit, shifting the responsibility squarely on their shoulders. To effectively manage and validate a device’s cybersecurity, companies should prioritize comprehensive testing and documentation. This includes conducting vulnerability assessments, penetration testing, and verifying security controls to ensure robust protection against potential threats.
To navigate the validation process and avoid the RTA policy implications, companies should prioritize proactive measures like seeking guidance from regulatory experts, conducting thorough risk assessments, and leveraging available resources.
In the months and years ahead, there may be a heightened focus on post-market surveillance, emphasizing the importance of ongoing vigilance and compliance with regulatory requirements. Companies demonstrating a commitment to product safety and regulatory compliance through mature and robust verification and validation and cybersecurity measures can navigate this landscape effectively.
Key takeaways
The FDA’s emphasis on cybersecurity highlights the imperative for device manufacturers to prioritize compliance with regulatory standards. The transition from leniency to strict enforcement signals a new era of accountability in the healthcare industry. To navigate this landscape, organizations must incorporate cybersecurity considerations into their product development processes from inception. This includes developing comprehensive documentation, closely adhering to regulatory guidance, and fostering cross-team collaboration to address deficiencies promptly and effectively. By adopting these measures, companies can safeguard patient safety and sustain competitiveness in the market.
Naomi Schwartz [Photo courtesy of Medcrypt]
Naomi Schwartz is the VP of services at Medcrypt and leverages over 20 years of systems engineering and regulatory expertise in advancing device commercialization. As a former FDA premarket reviewer, she concentrated on software, interoperability, and cybersecurity for connected diabetes devices, contributing to standards and working groups, and overseeing postmarket cybersecurity vulnerability incident management, all while reviewing 40 recalls and more than 200 regulatory submissions and over 200 pre-submissions in her six years at the FDA.
How to submit a contribution to MDO
The opinions expressed in this blog post are the author’s only and do not necessarily reflect those of Medical Design & Outsourcing or its employees.