Ready or Not, the FDA’s Cybersecurity Regulation is Here

Most medtech companies have been under U.S. Food and Drug Administration (FDA) scrutiny since their inception and have become accustomed to the agency’s seeming constant barrage of guidance documents. Consequently, they should not be phased by the FDA’s latest draft guidance for medical devices with software; in fact, medtech firms should embrace it, as it possibly could create significant opportunities for them.

One of this column’s authors moderated a panel of experts on this topic at last month’s MPO Summit in San Diego. Titled, “Risk or Reward? The Opportunities and Challenges With Digital Medtech,” the panel's speakers featured executives from various backgrounds: Jennifer Samproni, chief technology officer for Health Solutions at Flex; Christopher Gates, director of Product Security at Velentium; and Alex Goryachev, partner at PragmaticAI.

The panelists agreed the FDA’s draft guidance on medical devices with software will require companies’ complete attention to ensure medical devices are safe and comply with upcoming regulations.

More background on this topic can be found in the answers to some common questions:

1. What is the FDA guidance for cybersecurity in 2023? On Sept. 26, the FDA issued its final guidance, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” This document provides recommendations on medical device cybersecurity considerations and the kind of information to include in premarket submissions. (note: “Pre-submission” meetings with the FDA are more important than ever nowadays as market dynamics are rapidly changing).
2. Why is FDA guidance 524B such big news? Companies may or may not be aware that the “Omnibus” bill Congress passed and President Biden signed into law late last year (“The Consolidated Appropriations Act, 2023”) included a section—524B—“Ensuring Cybersecurity of Devices.”
3. What does the implementation of 524B mean? It means the FDA is authorized by Congress to regulate cyber devices used in the healthcare industry.
4. What is considered a cyber device? According to the section 524B(c), a “cyber device” (1) includes software validated, installed, or authorized by the sponsor as a device or in a device; (2) has the ability to connect to the internet; and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cypersecurity threats.
5. How can a medtech manufacturer comply with 524b? Starting on March 29, all new FDA premarket submissions must include information about the product. Companies must; (1) submit a plan to monitor, identify, and address postmarket cybersecurity threats; (2) design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates (patches) to the devices/systems, and (3) provide a software bill of materials (SBOM), including commercial, open-source, and off-the-shelf software components.
6. What is a software bill of materials? It bears repeating: As mentioned in the preceding paragraph, manufacturers are now required to provide a SBOM (software bill of materials) with their medical device 510(k) submissions. An SBOM is effectively a nested inventory, a list of ingredients that make up software components, according to FDA guidance. An SBOM identifies and lists software components, information about those components, and supply chain relationships between them. The amount and type of information included in a particular SBOM may vary, depending on factors such as the industry or sector and the needs of SBOM consumers. For this initiative, the focus will be on establishing a minimum expectation for creating a baseline SBOM that outlines the minimum amount of information and process required to support basic and essential features. Manufacturers are not (yet) required to disclose the details of their proprietary algorithms.
7. When must manufacturers comply with 524B? This requirement took effect on March 29.
8. Does it apply to all medical devices? For now, the requirement is only for new FDA submissions—510(k)s, Pre-Market Approvals, De Novos, etc. Unless there is a known cyber threat issue with a specific product, legacy devices are currently exempt from these new policies.
9. Anything else of concern? Yes. According to the MPO Summit panelists, the recent FDA draft guidance is a highly dynamic process that will result in more requirements down the road, so it’s important to pay attention to updates on this topic from the FDA and other regulatory experts.

MPO Summit panelists offered excellent advice on the best ways to tackle these dynamically evolving cybersecurity changes. Some key takeaways from this session follow.

• Be proactive in addressing cybersecurity in medical products. Don’t wait for the regulators to offer guidance. Medtech manufacturers should be compliant with regulations but also be proactive within their business and with their teams on prioritizing possible cybersecurity threats.
• Being proactive in tackling cybersecurity within medical devices creates value and can set a company apart from its competitors. Although the entire industry is impacted, only those organizations that embrace this issue as a core competency will put themselves ahead of the game and create a competitive advantage for themselves in the market (and as an employer).
• It’s not just about cybersecurity, it’s also about an artificial intelligence, big data, and risk management strategy. All of these items are connected.
• Carefully make revisions to legacy software products. Updating or revising existing solutions requires compliance with the new rules. But the regulation should not stop medtech firms from doing the right thing. On the other hand, organizations should ensure the update is really necessary; if it is, then perhaps it’s time to consider developing a new product altogether. Here’s why: If a company is going to make the effort to provide a cybersecurity update and subject itself to further FDA scrutiny, it might be best served by creating a fresh offering that incorporates the latest advancements as well.

Ready or not, the FDA is becoming more involved in the vast array of digital medtech solutions being offered by healthcare firms. Proactive companies can turn these digital capabilities into a competitive advantage, which could lead to better value for all stakeholders. 

---

Florence Joffroy-Black, CM&AA, is a longtime marketing and M&A expert with significant experience in the medical technology industry, including working for multi-national corporations based in the United States, Germany, and Israel. She currently is CEO at MedWorld Advisors and can be reached at florencejblack@medworldadvisors.com.

Dave Sheppard, CM&AA, is a former medical technology Fortune 500 executive and is now focused on M&A as a managing director at MedWorld Advisors. He can be reached at davesheppard@medworldadvisors.com.