Recent changes have gone into effect that give the Food and Drug Administration (FDA) a stately feather in their cap: the authority to require cybersecurity standards for medical devices.
However, this increased influence did not happen overnight. Nor did it happen in a vacuum.
To unpack how it came about, who is likely to be impacted, and what it means for existing and future medical devices, we have summarized the key components for you.
1. How should one refer to this new law?
The easiest shorthand is “524B.” That said, it is also commonly referred to as the “PATCH (Protecting and Transforming Cyber Health) Act,” the “Omnibus,” and even the “Food, Drug and Cosmetic Act changes.” Fundamentally, they are all the same things.
2. What led to this new FDA oversight for medical device cybersecurity requirements?
It’s a bit complex, but bear with us.
In 2022, proposed legislation was floating around called the PATCH Act that included all things cybersecurity in the medical device realm. However, it was not passed by Congress.
Then, at the end of 2022, Congress signed the Consolidated Appropriations Act, 2023 (“Omnibus”) into law. Section 3305 of this Omnibus bill adopted language that implemented the non-controversial portions of the PATCH Act, and amended the Federal Food, Drug, and Cosmetic (FD&C) Act by adding section 524B, officially titled, “Ensuring Cybersecurity of Devices.”
So, now, when talking about the FDA’s authority over medical devices as it relates to security, the most accurate reference is “section 524B of the FD&C Act.” But 524B is shorthand.
3. What, exactly, does 524B allow the FDA to do?
It gave the FDA some additional authority, referred to as “statutory authority,” over medical devices submitted to them for either 510(k) clearance or pre-market approval (PMA).
Prior to this, the FDA could really only leverage guidance and best practices to hold medical device manufacturers (MDM) accountable. However, if an MDM did not adhere to that guidance, the FDA did not have the authority to prevent them from going to market. Now they do.
524B gives the FDA the authority to tell an MDM that if their medical device does not adhere to secure by design standards, then it will not be approved.
4. What devices does this change apply to?
It only applies to new devices submitted to the FDA for either a 510(k) or PMA as of October 1st, 2023. It does not affect or apply to:
- Devices currently on the market and being used in a healthcare facility today
- End of life devices
- Devices submitted for approval prior to October 1st, 2023
5. Was this an abrupt change?
The FDA already had both pre-market and post-market guidance on cyber security. So, when the omnibus passed in December 2022, it gave the FDA 90 days to implement. However, 90 days is a short window for such a significant shift.
To better support MDMs, the FDA informed them that if their application did not include the formalized security requirements outlined in section 524B, they would consult with the MDM between March and October to get their application where they needed to be for submission and approval consideration.
That consultative period ended March 1, 2023. Beyond that, if the submission does not have the necessary secure by design elements outlined by the FDA in section 524B of the FD&C Act, then the FDA can refuse to accept the application.
6. How is 524B likely to impact new products coming to market?
This will depend on the manufacturer. There are large, multinational manufacturers, especially those that sell to European countries, who have long been adhering to secure by design protocols as these countries have stringent requirements. As such, these changes are not likely to significantly impact these MDMs or delay their submission and approval process.
Conversely, smaller manufacturers and manufacturers that have not given much consideration to cybersecurity in their designs, are likely to see their product pipeline impacted by 524B.
7. What about hospital systems and health delivery organizations (HDOs)? How might this impact them?
The way that the new laws and rules are written, the focus is on keeping the device secure over its life cycle. That said, because medical devices take a long time to design and develop, HDOs may still receive devices with outdated operating systems.
What this does mean is that the medical device manufacturer now has to have a plan for the hospital systems and HDOs that conveys how the device is updated, the update path, how it should be patched, and how it should be kept secure.
8. What does the FDA mean by a “cyber device”?
This is a new and broad term. At a high level, it refers to any electronic or computerized device or system connected to a network or the internet that can be used to access, process, store, or transmit digital information. In that context, a “cyber device” encompasses a wide range of technology.
In terms of a medical device, this could mean a device that sends data “home” to the manufacturer every now and then or shares data with a third-party repository for research, etc. In short, anytime data is transmitted or stored, cybersecurity requirements go into effect.
While this applies to medical devices, it is important to note that it does not apply to everything that sits on your network. E.g., all your building management systems, temperature monitoring systems, etc. So, there is quite a bit of technology associated with hospitals that does not go through the FDA for approval.
9. What does the timeline look like in terms of getting to a point where all medical devices on healthcare networks are secure by design?
It’s likely going to take some time. The life cycles of medical devices can be upwards of 10 years. For rural hospitals and small HDOs, it may be closer to 15 years. Until we invest in “cyber medical devices,” it will take a while before they are widely used.
That said, while capital considerations are likely to impact how quickly these devices are introduced in healthcare facilities, it is possible that other drivers will influence faster implementation.
10. What are some of those other drivers?
Cyber insurance is a primary one. It would not be surprising if cyber insurance renewal questionnaires start including questions along the lines of “what percentage of your medical devices are secure by design?” And the percentage provided could impact the renewal. As 524B starts to roll out over the coming years, there is likely to be more pressure on healthcare organizations to adopt these devices.
Some organizations may also perceive the new devices as having the ability to lower organizational risks and shift to using the new devices sooner than later, especially when replacing devices that are at end of life and on outdated operating systems.
Older devices are at higher risk for cyberattacks, so newer models could potentially lower costs by automating many of the cumbersome data entry tasks that older devices may require.
11. How much more expensive are these secure by design medical devices going to be compared to devices developed prior to this new law?
It’s hard to know. Many large medical device manufacturers have already embedded security in their design, so hopefully the cost impact will be minimal. But it is possible the cost will be higher depending on how much extra effort it will take for MDMs to get through the new FDA review process.
If they have to keep coming back to the drawing board, making updates and changes, that’ll require more resources, which will likely lead to a higher price point on the backend.
On the other hand, it is vital to also think about the price point of not being secure, which is significantly higher. IBM Security’s 2023 “Cost of a Data Breach Report” states that the cost of a healthcare data breach is now approaching $11 million dollars per breach.
Through that lens, the cost of using a less secure device could be more financially detrimental than the cost of using a more expensive—but more secure—medical device.
12. What are recommendations that HDOs should consider?
Every healthcare organization accepts risk differently. Whether yours is more risk tolerant or risk adverse, it is essential to start talking about what section 524B means with your risk management teams.
For example, if your healthcare organization is in a financial situation that makes it impossible to update to the newest secure by design device, then it is essential to align internally on what risks might come with not upgrading and document the acceptance of the risk for future reference.
Either way, your risk management committee should include your clinical engineering or your biomed departments, and nurses and physicians that would be directly impacted if the device has downtime.
Now is the time to create this committee or team, and ensure you have the right people involved in these conversations. Everyone should understand where your organization is currently with these devices, where it needs to get to, and what the risks look like at various phases.
13. What is a software bill of materials (SBOM), and how does it relate to these secure by design medical devices?
A software bill of materials, or “SBOM” for short, is a list of all the pieces of software that are built into the device.
The intention behind SBOMs is to provide better visibility into what software is in the device so that when a CVE (Common Vulnerabilities and Exposures) comes out addressing a vulnerability in a piece of software, there’s better clarity around whether that device is impacted.
And, if it is, then the HDO would work with their medical device manufacturer to get the appropriate update to resolve whatever vulnerability exists.
The working group behind SBoMs is advocating for this to be a part of a medical device manufacturer’s submission process to the FDA, and then the FDA would determine how to make it available to the owner of the device.
Re-examining medical device security
A concern for many healthcare organizations is that they accept a certain amount of risk every time they acquire or use a medical device, including financial penalties and reputational harm. However, without medical devices, there would be no healthcare as we know it today.
The National Cybersecurity Strategy and subsequent Implementation Plan acknowledges this predicament and takes proactive steps to transfer those risks away from the healthcare organizations and back onto the manufacturers.
What that will look like in practice remains to be seen, however, the new regulations under 524B are a step in that direction.
Content for this post was developed from responses provided by Samantha Jacques, PhD, FACHE, AAMIF, Vice President of Clinical Engineering at McLaren, and Kate Pierce, Sr. vCISO & Executive Director of Subsidy Program at Fortified Health Security.