Medical devices are reshaping the healthcare field as designers and manufacturers continue to push the boundaries of what technology can do. We've seen countless innovations hit the market over the last several years, leading to a significant rise in adoption. In the United States alone, projections show market revenue for medical devices surpassing $164 billion by the end of 2023. By 2028, it'll likely pass $206 billion.

It's not hard to see why. Well-designed medical devices transform how healthcare professionals approach everything from providing accurate diagnoses to delivering effective treatment. It's helping to lower costs and improve how the industry reports data while creating better patient outcomes.

But, new risks for patients and providers come with the meteoric rise of medical devices. Unfortunately, the last several years also saw increased cybersecurity issues for medical devices. In 2023 alone, annual healthcare breaches affected over 42.7 million patients. Even one of America's biggest healthcare systems experienced security issues earlier this year.

The United States Congress created new legal requirements to address the growing risks, and the Food and Drug Administration (FDA) issued new guidance for cybersecurity in medical devices. These new cybersecurity regulations aim to make devices more secure throughout their lifecycle. While necessary for patients and providers, these changes will impact the development process for device makers.

Therefore, companies should seek assistance from expert medical design consultants like Voler Systems to ensure full compliance.

The Evolution of FDA Regulations for Medical Devices

Late 2022 marked a new era of medical device safety with the signing of the 2022 federal Omnibus spending bill.

Section 3305 of the Omnibus, titled "Ensuring Cybersecurity of Medical Devices," amended the Food, Drug, and Cosmetic Act of 1938. The Omnibus added a new section: "Ensuring Cybersecurity of Devices."

The Omnibus bill requires the FDA to enforce new cybersecurity requirements in submissions for medical devices. It also requires the FDA to update medical device cybersecurity guidance at least every two years.

On September 27, 2023, the FDA issued new non-binding guidance to replace older guidance from 2014. The new legal requirements are in effect with full enforcement as of October 1, 2023.

Four New Legal Requirements

The new law has four key requirements. They apply to all cyber devices, which the Food, Drug, and Cosmetic Act defines as a device that "includes software validated, installed, or authorized by the sponsor as a device or in a device" has the ability to connect to the Internet, and contains technological characteristics that could be vulnerable to a cybersecurity threat. Since any device that connects to the Internet probably contains software and is probably vulnerable, the act applies to almost any device that can connect to the Internet, even if it is not intended to connect to the Internet.

The requirements are as follows:

1. Processes to Ensure Cybersecurity

Device makers must now have a definitive process to ensure that devices and all related systems are cyber-secure. The process must cover the design phase, development stage, and maintenance throughout the device's entire life cycle.

2. Plans to Monitor Cybersecurity

Companies must also submit full plans to identify and address post-market cybersecurity vulnerabilities and exploits. There must be plans to update and recover devices from threats.

3. Software Bill of Materials (SBOM)

Submissions must include an SBOM describing the software components, including commercial open-source and off-the-shelf software.

4. Meeting Future FDA Requirements

Existing devices already approved by the FDA may have future FDA requirements they must meet.

New FDA Guidance

FDA guidance is comprehensive, but the most important elements include what companies should do to keep devices safe from vulnerabilities through initial design to end-of-life maintenance. It covers key requirements for pre-market submission, which will form the basis of post-market activities to maintain the security of devices. Although the guidance is nonbinding, you must meet it or do something you can show is equivalent.

The following are key parts of the guidance.

Creating a Secure Product Development Framework

The foundation of the new FDA guidance is design controls, and the best way to meet design controls is by establishing a secure product development framework (SPDF). An SPDF is a set of development practices that help identify and reduce vulnerabilities in a product. It encompasses all aspects of a medical device's life cycle as part of the standard design controls.

Cybersecurity should be part of creating requirements, risk analysis, verification testing, and other design controls throughout the design process.

Designed In, Not Bolted On

A central principle of good SPDFs is designing for security instead of treating it like an afterthought. Cybersecurity should be part of the product lifecycle, from initial development to post-market maintenance and product end-of-life.

Security Architecture

Security architecture defines the system and all end-to-end connections. Part of establishing an SPDF is establishing and maintaining plans that define responsibility for implementing the entire system. It must be part of the device's overall design, development, and maintenance.

Documentation should include a description of the implementation's holistic function, including the entire system in which the device will operate. The security architecture should also have a corrective and preventative action subsystem that collects and analyzes information to investigate problems before taking action to correct them and fix cybersecurity problems.

Cybersecurity Testing

Finally, a solid SPDF needs cybersecurity testing. Testing is where companies ensure that the design controls get implemented as intended.

There are many ways to do cybersecurity testing. It can be through penetration testing, where software scrutinizes the device. Companies can also do manual testing by hiring white-hat hackers who attempt to break into the device. Or, device makers can do cybersecurity testing with complete security audits to review code and architecture. Whatever the case, the goal is to ensure the controls intended to go into implementation work as they should.

Risk Assessment and Management

A big part of the FDA cybersecurity requirements comes down to risk management. The FDA wants cybersecurity to be part of your standard risk management activities. That includes analyzing vulnerabilities, evaluating their potential impacts, documenting your controls, and determining how those controls can reduce effects once implemented.

It may not be possible to assess the likelihood of an incident. Instead, security risk assessment processes focus on exploitability, or the ability to exploit vulnerabilities present within a device and/or system.

It's important to consider the total product life cycle (TPLC) and design out vulnerabilities identified by cybersecurity and infrastructure. The goal is to create a continuous and repeatable risk assessment process from supply chain and manufacturing to deployment and maintenance.

Threat Modeling

Threat modeling is a process that helps companies identify security objectives and vulnerabilities that exist throughout the system. It also involves defining countermeasures to prevent the impacts of threats. The FDA recommends including threat modeling documentation in pre-market submissions. Device makers should perform it throughout the design process and include all system elements.

A great threat model will represent all the information that impacts a device's security and should be a repeatable method companies can use throughout the product's life cycle.

There are many methodologies device makers can employ. There is excellent software that automates the process. Regardless of the methodology utilized, documentation should include the rationale for the selected methods.

Interoperability Considerations

The FDA guidance includes a section dedicated to interoperability considerations. Development teams must consider cybersecurity for the entire system when products work with other devices, accessories, healthcare infrastructures, general-purpose computers, etc.

Documentation must be provided to the end user so the device can be installed in their system and remain cybersecure.

Software Bill of Materials

Pre-market submissions must include a software bill of materials (SBOM) documenting all software components. Every component needs a full cybersecurity risk assessment. Companies must record all possible vulnerabilities and risk control processes in place to address them. That applies to every element, including every piece of third-party, off-the-shelf, and open-source software.

SBOMs are not one-time documents. They need regular updating to reflect changes in the software and control efforts for evolving threats.

The FDA doesn't require a specific industry standard for SBOMs. However, they must include:

• Software component name
• Component version
• Manufacturer
• Details about where the component resides
• Level of support provided by the manufacturer
• End of support date
• Known vulnerabilities
• Risk controls to address vulnerabilities
  
  

Assessment of Unresolved Anomalies

Security assessments should also include a complete list of unresolved anomalies and an evaluation of the potential impact that could occur if bad actors exploited them. Unresolved anomalies refer to issues that still exist within the software. They could remain unresolved for many reasons. For example, fixing them may be inappropriate due to their low risk or sporadic nature.

Either way, the FDA wants to see a list of unresolved anomalies, how their discoveries came to be, the rationale for not addressing them, possible root causes, and an assessment of what would happen if exploited.

Manufacturers have less control and visibility over third-party software components. However, your SBOM must include all relevant information for third-party components. They, too, need assessment for cybersecurity risks, and companies must update risk management documents if new security information arises.

TPLC Security Risk Management

Total Project Life Cycle (TPLC) security risk management requires continuous monitoring of devices in the field, responding to new threats, updating devices in the field, and updating documentation. The manufacturer of a device should demonstrate the effectiveness of their TPLC with annual reports that track and record:

• The percentage of identified vulnerabilities updated or patched
• The timeframe between vulnerability discovery and updating/patching
• Duration of time between patch availability and implementation

Companies must provide that information with pre-market submissions and pre-market approval (PMA) annual reports. Even when device-makers discontinue a product, it's their responsibility to maintain it and protect users. Monitoring devices in the field and annual reports must continue as long as the device is being used. This implies the manufacturer must notify the end user when the device is obsolete and no longer supported.

When Does the Guidance Apply?

FDA guidance applies to all submissions for new devices, and even when a submission is not required, such as a class I device.

Similar to the new law, the guidance applies to software or devices containing software that can connect to the Internet and could be vulnerable to cybersecurity threats. Software includes programmable logic, so it presumably applies to field programmable gate arrays (FPGAs) and programmable logic controllers (PLCs).

Staying Compliant and Creating the Medical Devices of Tomorrow

The new FDA cybersecurity for medical device requirements can and will impact the entire development process. The rules can be difficult to navigate, but they're crucial in protecting patients in an ever-evolving world of cybersecurity threats. Security risks will always exist, but the new requirements encourage device makers to put cybersecurity at the forefront of design and development.

With these new rules, companies like yours can create safe devices unlikely to have a major cybersecurity incident.

If you need help managing security risks with your device, contact Voler Systems. Voler has over four decades of experience as an electronic product designer. Voler's services help manufacturers integrate cybersecurity throughout the development cycle and beyond, helping to identify, assess, and mitigate risks for a safer user experience.