3 Steps to Cybersecurity Compliance: Simplifying the Latest FDA Draft Updates to Section 524B

Cybersecurity is incredibly important in today's interconnected world. The recent cyberattack on Change Healthcare that crippled a large segment of healthcare operations across the nation exemplifies the importance of medical device cybersecurity.¹

Section 524B of the Federal Food, Drug & Cosmetic Act was revised to include regulation applied to the design, development, and maintenance of medical device cybersecurity in December 2022. Later clarified in September of 2023 through the Premarket Cybersecurity Guidance, the agency continues to refine their stance in the spirit of learning and communication.

In that spirit, the U.S. Food and Drug Administration (FDA) released their draft guidance, “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act'' in March 2024. The proposed update to FDA cybersecurity guidance outlines specific requirements for cyber devices. Now, medtech companies must determine whether the update applies and assess how proposed updates may affect their regulatory change management process.

What Is a Cyber Device?

The FDA cybersecurity guidance update only applies to cyber devices, so if a company already complies with the Premarket Cybersecurity Guidance and does not manufacture a cyber device, no action is required. However, for companies that manufacture a cyber device, this proposed medical devices cybersecurity section applies.

So what exactly is a cyber device? If a medical device:

1. Includes software - including firmware or programmable logic controller (PLC);
2. Connects to the internet - via Wi-Fi, cellular, network/cloud, Bluetooth, radio frequency (RF), inductive communications, or hardware connectors like USB, Ethernet, or serial ports; or
3. Presents vulnerabilities - devices that contain vulnerable technological characteristics that are validated, installed, or authorized by the sponsor, such as data storage mechanisms, communication protocols, remote monitoring, touchscreens, embedded sensors, or operating systems.

If a medical device meets any of these criteria, then the draft FDA cybersecurity guidance applies, and manufacturers must assess its applicability. To simplify this process, follow these three key steps to achieve medical devices cybersecurity compliance.

1. Update Cybersecurity Management Plans and Procedures

Thorough documentation is the cornerstone of all regulatory change management and compliance. Cybersecurity compliance is no exception. Manufacturers of cyber devices must maintain a cybersecurity management plan (CMP) which outlines strategies for monitoring, identifying, and addressing cybersecurity vulnerabilities. It should also reference procedures for coordinated vulnerability disclosure (CVD), which include how remediation will be communicated to customers. Additionally, manufacturers must establish clear timelines for developing and releasing updates and patches to address known vulnerabilities.

If a cyber device utilizes third-party software components, manufacturers should update the software bill of materials (SBOM) to be machine-readable, contain the baseline attributes and the level of support they provide, and document the date support ends. Taking these steps ensures compliance with the draft FDA cybersecurity guidance.

2. Document Ongoing Cybersecurity Maintenance

Medical devices cybersecurity is not a one-time effort but an ongoing process that requires continuous assessment and monitoring. Manufacturers must implement mechanisms to regularly assess the cybersecurity of their devices and respond promptly to emerging threats and vulnerabilities.

Ongoing assessment ensures that cyber devices are protected from evolving cybersecurity threats throughout their life cycle. By staying proactive, manufacturers can better protect patient data, mitigate potential cybersecurity risks, and comply with the FDA cybersecurity guidance.

Medical devices cybersecurity maintenance includes processes and procedures that ensure the device and any related systems are secure. Manufacturers must consider related systems like other devices, software that performs multiple functions, software/firmware update servers, and network connections.

If a cyber device has multiple functions, the FDA cybersecurity guidance requires the following documentation to accompany the submission:

• Cybersecurity risk management report
  • including threat model, cybersecurity risk assessment, SBOM, vulnerability assessment and software support, unresolved anomalies assessment, and traceability.
• Measures and metrics
• Architecture views
  • including requirements, architecture views (if not part of threat model).
• Testing
• Labeling
• Cybersecurity management plans

3. Assess and Manage of Changes

Regulatory submissions must include any changes that could impact cybersecurity. Those changes must be carefully assessed and managed to ensure compliance with the FDA cybersecurity guidance and safeguard patient safety. Often manufacturers take advantage of change management software to ensure effective regulatory change management.

Using change management software or a manual change control process, manufacturers must assess changes for medical devices cybersecurity risks. For example, changes to authentication or encryption algorithms, new connectivity features, or updates to software/firmware.

If the changes are not likely to impact medical devices cybersecurity, manufacturers should update the cybersecurity management plan with a high-level view of any updates or patches made for vulnerabilities, a summary of why the device is cybersecure including limitations/risks, and SBOMs for all components.

By assessing and managing cyber device changes effectively, manufacturers can minimize cybersecurity risks and ensure compliance with regulatory change management requirements.

Conclusion

The updates in the latest draft FDA cybersecurity guidance require a systematic approach that prioritizes thorough, ongoing documentation and effective regulatory change management of cyber device changes. By following these three key steps, manufacturers can demonstrate their commitment to cybersecurity, protect patient data, and ensure compliance with FDA regulations. In today's rapidly evolving threat landscape, proactive cybersecurity measures are essential to safeguarding the integrity of medical devices cybersecurity and promoting patient safety.

Reference

1. https://www.wsj.com/articles/change-healthcare-hack-what-you-need-to-know-45efc28c