Comprehending the 2022/23 Cybersecurity Guidelines for Medical Devices by the FDA

# Background

With the implementation of fresh cybersecurity protocols for medical devices by the FDA, set to be rigorously enforced from October 2023, it is vital to grasp the elements of the guidance and their legal consequences.

The United States Food and Drug Administration (FDA) has introduced updated directives concerning the cybersecurity risks associated with medical devices. Just like any technological product, medical devices can be vulnerable to cyberattacks and breaches. However, the consequences in the healthcare sector extend far beyond the realm of social media hacking. Depending on the specific functions of the device, these attacks can lead to violations of the Health Insurance Portability and Accountability Act (HIPAA), inaccurate patient health evaluations, incorrect medication dosages, and other potentially life-threatening outcomes.

According to the American Hospital Association, in September 2022, the Federal Bureau of Investigation (FBI) provided recommendations to mitigate the risks of cyberattacks on medical devices. Shortly thereafter, on March 30, 2023, the FDA issued its guidance titled "Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems" under section 524B of the FD&C Act. This guidance is aimed at both industry professionals and FDA personnel and was prompted by legal changes that took place in December.

In December 2022, the Consolidated Appropriations Act, known as the Omnibus Act, was enacted into law. Among its various provisions, section 3305, which focused on ensuring the cybersecurity of medical devices, brought about changes for the FDA by amending the Federal Food, Drug, and Cosmetic Act (FDC Act). This amendment introduced section 524B into the FDC Act, designed to enhance the security of medical devices and reduce their susceptibility to cybersecurity risks. With the Omnibus Act in effect, the FDA had a 90-day window to establish new protocols for medical devices. By the close of March, the FDA had begun implementing these new protocols to guide regulatory decisions concerning medical devices. However, applications submitted prior to this date were not subject to the updated guidance.

Instead of following the conventional process of issuing draft and final guidance, the FDA chose to directly implement the protocols without soliciting public input. This decision was influenced by constraints outlined under section 701(h)(1)(C) of the FDC Act (21 USC 371(h)(1)(C)) and 21 CFR 10.115(g)(2)). Anna Rudawski, a legal expert in cybersecurity and medical cybersecurity matters and a partner at Norton Rose Fulbright, elucidated the legal consequences and the historical context related to these novel protocols.

# Areas of vulnerability

Rudawski pointed out that this marks only the second major release of cybersecurity guidance by the FDA, the previous one having occurred many years ago. "The need for a follow-up has been overdue," Rudawski emphasized. "This has been driven by the vulnerability of numerous devices connected to the internet, making them susceptible to cyberattacks." She clarified that apart from medical devices directly used by consumers, like wearable sensors, a significant number of devices within healthcare setups are also prone to cybersecurity vulnerabilities.

Within healthcare institutions, various backend tools are utilized by medical professionals for patient treatment, and these tools can be exposed to cyber threats. Recognizing these security gaps, the FDA has taken a stern approach in enforcing cybersecurity protocols to ensure the safety of medical devices across all levels of patient care.

"Another factor driving these regulations – not just in the medical device realm, but across cybersecurity in general – is the challenge of asset management, a problem faced by every company regardless of their assets," Rudawski added. "In the medical context, every device essentially becomes an asset that requires safeguarding, particularly within a hospital or healthcare system."

The earlier cybersecurity guidelines primarily concentrated on post-market surveillance, focusing on protocols for issuing alerts and recalls. However, they had yet to propose measures for device development and premarket approval to proactively manage cyber risks.

# Tech Debt

Rudawski clarified that numerous medical devices, as well as technological assets beyond the medical realm, can succumb to what the technology industry terms "tech debt." This concept describes situations where technology employs unsupported or outdated software components.

"This is a persistent challenge, particularly in the healthcare sector where reliance on devices and software is frequent," she explained. "These could be outdated, unsupported, or incapable of being patched due to the discontinuation of support for the specific version used by a facility or individual. Upgrading might not be feasible due to time or resource constraints."

While in some cases, manufacturers might offer optional updates that users can decline, resembling software updates on computers or phones, certain updates are mandatory and cannot be postponed or rejected. Such updates are often prompted by significant security vulnerabilities identified by the manufacturer. Nevertheless, Rudawski emphasized, "This approach is only effective as long as the device remains supported. However, dealing with a device that's no longer supported or falls outside its intended use can present more complex challenges." "In the realm of medical devices, especially in the diabetes sector, there's a considerable number of devices. Unfortunately, many of them lack interoperability," she added. "Certain applications allow patients or healthcare providers to amalgamate data from multiple devices into one unified app, interface, or connected system where they can communicate with each other."

Achieving this setup requires developers to "jailbreak" medical devices, essentially creating an entirely new app. Despite the unmatched benefits for patient care, these products exist without regulation. "Manufacturers are naturally inclined to support devices they are aware of. Devices that fly under the radar are less likely to receive support. It might sound counterintuitive, but practically every organization and device has some degree of shadow IT," she elaborated. "This refers to uncharted IT or devices that remain disconnected from the network or the internet, either because they've been jailbroken to operate offline or because they've been set up using alternative methods."

# Upcoming guidelines

This updated guidance has revised the recommended content and documentation for premarket submissions. According to the new policy, manufacturers or researchers submitting a medical device for FDA approval are now required to incorporate a strategy for monitoring and addressing cybersecurity vulnerabilities and potential breaches after the device has entered the market. This plan should be included in the initial application and should outline how these issues will be handled within a reasonable timeframe.

In addition to post-market monitoring protocols, the application must also ensure a level of "reasonable assurance" for security across the entire lifecycle of the product. This involves detailing the processes encompassing the design, development, and maintenance of the medical device to ensure its safety against critical vulnerabilities and unacceptable risks.

Furthermore, the updated cybersecurity criteria underscore that manufacturers seeking FDA approval must furnish a software bill of materials (SBOM) and comply with other requirements set forth by the FDA.

However, the FDA's guidance document clarifies, "FDA’s guidance documents do not establish legally enforceable responsibilities. Instead, guidances describe the agency’s current thinking on a topic and should be viewed only as recommendations unless specific regulatory or statutory requirements are cited. The use of the word should in agency guidance means that something is suggested or recommended, but not required." Despite these enhanced standards outlining more intricate protocols, Rudawski suggests that they might still fall short. She points out that the majority of advanced medical device manufacturers and providers have already been adhering to the suggested measures for device security and safety.

# Legal impact

While the FDA's language suggests that these guidelines serve as recommendations, Rudawski conveyed that stakeholders who haven't yet embraced or integrated these suggestions are likely to face consequences. Manufacturers might not encounter immediate issues, but they could face penalties if a data breach, disruption, or cybersecurity problem occurs.

"In the event that manufacturers experience vulnerabilities in their devices leading to repercussions, they could potentially face various lawsuits and investigations," Rudawski explained. "Manufacturers are obligated to inform affected individuals. If the device becomes inoperable or patient data is compromised, they could potentially fall under the purview of HIPAA or the FTC breach rule."

When breaches transpire, several federal regulators become involved. Should health information or patient safety be compromised, legal repercussions may arise, casting doubts on the manufacturer's adherence to quality system regulations (QSR), digital health protocols, and other cybersecurity considerations.

"We've witnessed instances where ransomware attacks or data breaches impacting medical devices have resulted in patient harm, unfavorable outcomes, or even fatalities. Regulators are now raising questions about these incidents. How long was the service disrupted? What were the consequences for patients? How much patient data was compromised?"

While the FDA's language might convey these protocols as mere recommendations, there's a broader landscape to contemplate. For instance, the FTC and HIPAA are likely to draw connections to these standards. Moreover, in the aftermath of a breach leading to a class-action lawsuit, legal representatives are likely to concentrate on these standards, specifically their nonadherence, to build their case against the manufacturer.

# Anticipating the Future

Currently effective, the FDA has highlighted that it won't render a "refuse to accept" verdict based on missing application materials in line with the new protocols until October 1, 2023. Leading up to this date, manufacturers and sponsors will collaborate with the FDA in the review process, enabling these entities to address their recognized risks. Nevertheless, subsequent to October 1, all applicants are expected to adhere to the issued guidelines.

"They haven't introduced anything that wasn't already familiar to medical device manufacturers unless they were considerably inexperienced in device development," she stressed. Rudawski conveyed that the majority of manufacturers are already integrating the FDA's recommendations, suggesting that significant adjustments to their workflow won't be necessary. However, she highlights that these updated directives will necessitate medical devices to undergo a heightened level of premarket submission.

Despite many manufacturers having already instituted cybersecurity measures for device protection, Rudawski underscores the importance of averting cyber threats through early integration of risk assessment and management strategies.

"Our involvement ideally commences at the earliest phases of product or service development. Managing cybersecurity is considerably more attainable when it's woven into the fabric of initial product development, as opposed to addressing it as an afterthought," she remarked.

Acknowledging that threats and vulnerabilities can't be entirely eliminated, the FDA provides tools and protocols to curtail risk. Manufacturers and healthcare practitioners employing medical devices are encouraged to leverage FDA resources for more effective risk mitigation strategies. The FDA offers resources such as the Medical Device Cybersecurity Regional Incident Preparedness and Response playbook, along with the Playbook for Threat Modeling Medical Devices.