Cybersecurity threats to the healthcare sector have become more frequent and more severe, carrying increased potential for clinical impact. Cybersecurity incidents have rendered medical devices (MD) and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities. Increased connectivity has resulted in individual devices operating as single elements of larger medical device systems.
These systems can include healthcare facility networks, other devices, servers, among other interconnected components. Consequently, without adequate cybersecurity considerations across all aspects of these systems, a cybersecurity threat can compromise the safety and/or effectiveness
of a medical device by compromising the functionality of any asset in the system.
As a result, ensuring device safety and effectiveness includes adequate device cybersecurity, as well as its security as part of a larger system.
The Regulatory Landscape: FDA Guidance
This same year (March 2023), the FDA issued a guidance (without previously publishing the draft for comment) stating that manufacturers of MDs that could be affected by cybersecurity should:
Define a plan to monitor, identify and address (as appropriate to the risk) within a reasonable timeframe, vulnerabilities during post-marketing.
In addition, design and develop processes to ensure that the MD is cybersecure and provide patches or new versions to mitigate new risks.
FDA requires the provision of information on software components (open-source and off-the-shelf).
Moreover, in September 2023 the FDA finally issued the final guidance for Cybersecurity in Medical Devices (Quality System Considerations and Content of Premarket Submissions).
The guidance solidifies the definition of a cyber device to include medical device combination products with drug and biologic components:
Include software validated, installed, or authorised by the sponsor as a device (or in a device)
Have the ability to connect to the Internet
Contain technological characteristics validated, installed, or authorised by the sponsor that could be vulnerable to cybersecurity threats.
Comprehensive Approach: Cybersecurity for Medical Device Systems
The guidance emphasises the need for sponsors to include vulnerability and other risk management plans in their premarket submissions and ensure products are designed and developed with cybersecurity in mind, including a Software Bill of Materials (SBOM) and the ability to be patchable.
Sponsors should include minimum elements in their SBOM listed in the October 2021 National Telecommunications and Information Administration (NTIA) Multistakeholder Process on Software Component Transparency document.
Sponsors should also ensure their SBOMs are machine-readable. If a manufacturer is unable to provide the SBOM information to FDA, the manufacturer should provide a justification for why the information cannot be included in the premarket submission.
FDA perspective is that it’s not enough to make a product that has good cybersecurity but that sponsors must consider how that product can continue to be protected from vulnerabilities during its usable life a Total Product Lifecycle (TPLC).
Our Rephine Medical Device expert, Medical Device Senior Consultant & Medical Device Area Manager, Núria de la Fuente, provides her conclusion on the FDA guidance:
European Union's NIS2 Directive: A Global Standard
This year also entered into force the European Union’s NIS2 Directive, which, although not exclusively focused on MD, sets out a guide for working on cybersecurity. Medical Devices and IVD companies are sectors considered critical and, when the company has more than 50 employees or the turnover is more than €10 million, the NIS2 is mandatory. As such, the MD /IVD companies must:
Conduct a risk analysis of the potential impact of cybersecurity incidents
Implement technical measures according to the risks detected
Notify significant cybersecurity incidents
Detect and work on incidents as soon as possible
Send follow-up information (to the Member State single point of contact) on a monthly basis until the incident is closed.
Partnering with Rephine's
MD Team for Cybersecurity Assurance
Our MD team can support companies that design Software as a Medical Device (SaMD) and want to market SaMDs in the US by preparing the necessary cybersecurity documentation for FDA approval.
If your target is Europe, you can also count on our team of experts to work on the cybersecurity risks and define the tests to be carried out to ensure that there are no vulnerabilities that could put the product and/or the patient at risk.
You can find more about our Medical Device services, and contact our experts by visiting our Medical Devices page.