Blog Article

New Standards in Med Dev Cybersecurity

Raising cybersecurity standards for medical devices necessitates manufacturers' compliance with new global regulations.

Written by:
Daphney Makhetha
Published on:
April 30, 2024

The Evolving Landscape of Medical Device Cybersecurity Regulations

A medical device company’s management of its products’ cybersecurity has been a significant expectation among regulatory authorities for many years.

To help with that in the US, FDA published its first guidance on medical device cybersecurity in 2005. It covered Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software.

This was followed in 2014 with guidance on Content of Premarket Submissions for Management of Cybersecurity in Medical Deviuidance on Postmarket Management of Cybersecurity in Medical Devices. Although useful, the recommendations from these documents have been judged to be insufficient and not very rigorous.

However, since passage of the 2023 US Government Consolidated Appropriations Act and FDA’s 2023 updated guidance on Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, the cybersecurity bar has been raised. The 2023 premarket guidance replaces the 2014 premarket guidance, which had been updated in draft forms in 2018 and 2022.

Over the years, FDA’s premarket guidance went through a significant evolution from the somewhat limited 9-page 2014 document to the now comprehensive 57-page 2023 guidance.

The 2023 Consolidated Appropriations Act transitioned what has historically been a less formal “recommendations” approach in FDA’s guidance on medical device cybersecurity to statute-based requirements or law through passage of the Act.

For example, by law, Section 3305 of the Consolidated Appropriations Act requires that the sponsor (e.g., a medical device company) of an application or submission (e.g., a 510(k) premarket submission) shall:

  1. Submit a plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
  2. Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address:
    • On a reasonably justified regular cycle, known unacceptable vulnerabilities
    • And as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks
  3. Provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components; and
  4. comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cyber-secure.

Global Shift Towards Strengthening Medical Device Cybersecurity

Particularly notable in the Consolidated Appropriations Act are the requirements for the post-market cybersecurity plan and the software bill of materials, which have historically not been emphasized in US regulatory submissions. These require major effort from the earliest stages of a medical device’s development. Also, from the 2023 premarket guidance, premarket submissions will now need to include results from penetration testing and threat modeling exercises, which also involve substantial effort and cost.

Higher expectations for cybersecurity are not just limited to the US. The EU’s 2022/2555 Directive on the Security of Network and Information Systems (“NIS2”) now mandates cybersecurity risk management measures and reporting requirements for manufacturers of medical products, including chemicals (APIs), pharmaceuticals, and medical devices.

Similar to the US, Australia’s Therapeutic Goods Administration’s 2022 Medical device cyber security guidance for industry calls for a total product lifecycle (TPLC) approach to managing cybersecurity. It also calls for penetration testing and threat modeling as part of a device’s risk management/assessment process.

And Singapore announced in 2022 that it plans to deploy a Cybersecurity Labelling Scheme for Medical Devices - CLS-MD. The labeling scheme is currently in a “sandbox” or trial period. The scheme is based on medical devices being rated according to four levels of cybersecurity provisions and assessments.

The cybersecurity label for medical devices would provide an indication of the level of security in medical devices. Although currently voluntary, this new scheme demonstrates the Singapore government’s serious concern with medical device cybersecurity.

In addition to the examples above there is lots of heightened awareness about the need to keep medical devices “cyber safe” around the world, including global initiatives from the International Medical Device Regulators Forum to produce excellent technical documents on Principles and Practices for Medical Device Cybersecurity, Principles and Practices for the Cybersecurity of Legacy Medical Devices, and Principles and Practices for Software Bill of Materials for Medical Device Cybersecurity.

If you are developing or already have a medical device with software, especially if the device can be electronically connected to other devices or to a network then you need to take cybersecurity seriously and fully understand the cybersecurity requirements and expectations in whatever region you are or will be selling to. If you would like support with navigating your global cybersecurity compliance, please feel free to reach out to Pure Global for assistance.

Subscribe to newsletter
Subscribe to receive the latest blog posts to your inbox every week.
By subscribing, you agree to our Terms and Conditions.
Thank you for subscribing!
Oops! Something went wrong while submitting the form.
Read More

Latest Blog Content

Explore our collection of articles, success stories, and regulatory updates, designed to help you take your product global.

Blog Article
Brazil: Adapting to Evolving Regulatory Markets

Brazil aligns medical device regulations with global standards, including Europe and the US. Recent updates and international compatibility attract manufacturers.

Blog Article
AI in Medtech Brazil

AI is revolutionizing MedTech in Brazil, enhancing healthcare through process optimization and data-driven decisions. Pure Global ensures swift, compliant market introduction of innovative solutions.

Blog Article
Pure Global: Regulatory Decisions for Global Success

Discover how to navigate commercial and regulatory challenges for global success in the medical device industry. Learn strategies for market access, regulatory compliance, and post-market vigilance

Blog Article
New Standards in Medical Device Cybersecurity

Raising cybersecurity standards for medical devices necessitates manufacturers' compliance with new global regulations.

Contact us
Request information

Let's Talk,
Anywhere You Are.

Whether looking for more information or ready to partner with us, we're here to guide you through every step of the regulatory process.

Our closest representative will get back to you within 24 hours.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.