The Food and Drug Administration (FDA) has released final guidance aimed at enhancing cybersecurity in medical devices, coinciding with new regulations coming into effect on October 1. The guidance document, titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” provides recommendations to medical device manufacturers on various cybersecurity aspects.
It emphasizes the need for a secure product development framework, threat modeling, and the inclusion of a software bill of materials (SBOM) to reduce vulnerabilities throughout a device’s life cycle. The FDA’s “refuse to accept” policy, which allows the agency to reject premarket submissions lacking necessary cybersecurity details, will be fully enforced starting October 1.
Furthermore, the FDA’s action responds to the growing frequency and severity of cybersecurity threats to the healthcare sector, which can disrupt patient care and lead to clinical hazards. The guidance aims to ensure that medical devices and related systems are secure and that manufacturers commit to developing patches for addressing vulnerabilities.
The expanded authority granted to the FDA over the cybersecurity of medical devices was enacted by Congress in December 2022, which included cybersecurity requirements for “cyber devices” that connect to the internet.
Although the guidance is non-binding, experts recommend device manufacturers carefully review and consider its recommendations, given the importance of cybersecurity in healthcare.
To navigate these requirements effectively, device manufacturers are advised to communicate early and regularly with the FDA. Discussing products with the FDA prior to submission can provide valuable insights into the agency’s focus areas and allow manufacturers to educate the FDA about their methods and products.
As the “refuse to accept” policy takes root, device makers should ensure thorough, well-organized, and indexed submissions. This guidance marks a significant modernization of expectations for medical device cybersecurity engineering, acknowledging the heightened risks and threats to healthcare delivery.
Manufacturers that have invested in cybersecurity programs leveraging FDA guidance will be better prepared for these changes, while those lacking strong cybersecurity leadership may face challenges in the marketplace.