Hacker in hoodie at computer

Navigating New Medical Device Cybersecurity Rules

By Milton Yarberry and Stephanie Van Ness

According to a 2022 FBI report, 53% of digital medical devices and other internet-connected products used in hospitals had known critical vulnerabilities caused by issues including unpatched and outdated software.

In today’s world, where evolving cyber threats loom large – ransomware attacks alone have increased by more than 37% in 2023, according to Zscaler – safeguarding medical devices is paramount. To that end, in April 2022 the FDA released guidance for device manufacturers to follow, titled Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions

That guidance was applied in March 2023 in the form of new regulations as part of The PATCH Act (Protecting and Transforming Cyber Health Care). The new rules mandate that device manufacturers adhere to elevated levels of cybersecurity compliance for new devices that contain software or that are designed to be connected to the internet – even if they’re never actually connected. 

While the rules were applied in March, the FDA granted manufacturers a grace period to ready themselves, delaying the requirement for device makers to comply with the more stringent rules until October 1, 2023. 

With that date in the rear view, device manufacturers looking to bring a new connected medical product to market now need to clear a higher bar for compliance. If you’re developing a new medical device, you must provide much more information in your premarket submission than was required prior to October 1. 

Note that if you have an existing cyber device that was previously authorized and you’re now making a change to the device that requires premarket review by the agency, the law also applies to your new premarket submission.

Complying with the New Cyber Requirements 

The FDA's 2022 cybersecurity guidance strongly emphasizes the importance of early-stage integration of security measures during medical device development and the necessity of post-market vigilance. But – and here’s where things get tricky – the actual implementation of this guidance presents challenges for manufacturers as the specifics need to be drawn from several standards and reports with overlapping but subtly different content. (In the finalized guidance, the FDA clarified required documents and interoperability considerations.

Additionally, device makers must now meticulously prepare a mountain of documentation around cybersecurity, carefully organized into four key categories: security risk management, post-production information, design history, and verification and validation. Within each of these file categories, there are myriad additional documents to prepare. 

For instance, in the design history file device makers must provide information on:

Security Requirements: Requirements derive top-level control categories, which can be found in Appendix 1 of the FDA’s 2022 Guidance. Requirements are principally control mitigations from your risk analysis, which is part of your security risk management documentation obligation.  

Security Specifications: These specifications implement the Security Requirements and trace to specific implementations of the requirement.  

Code Analysis: Source code analysis and binary code analysis that lead to creation of your Software Bill of Materials (SBOM), an inventory of elements that make up software components – considered essential to software security and supply chain risk management. 

And that’s just a small portion of the documentation you as a device maker will need to provide! 

What Documentation Must I Provide?

To help you make sense of all of the documentation you’ll need to assemble – and their relationships to each other and the overall plan – we’ve put together a helpful eBook that outlines the new compliance requirements. 

Cybersecurity for Medical Devices: A Checklist of Cybersecurity Documentation features a detailed checklist of the documents you’ll need for your submission, and clear graphics that help you visualize how this documentation fits together to form your cybersecurity plan. The eBook is well worth a look because without all of the relevant documentation, the FDA will not even consider your submission. 

Get your free copy of this indispensable resource. 

The Takeaway

As medical devices grow increasingly connected, so too does the risk posed by cybersecurity breaches. To better safeguard devices and patients, the FDA has increased compliance requirements for new devices – but in the process made compliance more complex for device makers. Our eBook Cybersecurity for Medical Devices: A Checklist of Cybersecurity Documentation is designed to streamline the compliance process for device makers like you who are driving innovation and transforming healthcare.