By the First Health Team
In less than three months, the Food and Drug Administration will begin to “refuse to accept” medical devices and related systems over cybersecurity reasons. By Oct. 1, all new device submissions must include detailed cybersecurity plans, as announced by the FDA on March 29.
The FDA was given these new authorities as part of the Consolidated Appropriations Act of 2023, signed into law on Dec. 29, 2022. The law included requirements for premarket submissions proposed by the industry-lauded Protecting and Transforming Cyber Health Care (PATCH) Act and created long-desired FDA authorities left out of previous resolutions.
In short, by Oct. 1, device manufacturers will be required to submit their plans to monitor, identify and address, in a reasonable timeframe, all post-market cybersecurity vulnerabilities and exploits through coordinated vulnerability disclosures and response plans.
Developers will also need to design and maintain procedures able to demonstrate, with reasonable assurance, that their devices and related systems are cybersecure, while creating post-market updates and patches to devices and connected systems to address, “on a reasonably justified regular cycle,” known unacceptable vulnerabilities, according to the FDA rule.
While these rules apply to medical device manufacturers and developers, healthcare delivery organizations will begin to experience small but widespread industry changes, according to First Health Advisory’s Chief Security Officer of Clinical & Operational Security and Technology Matt Dimino.
Here’s how Dimino sees these changes that “certainly require shared responsibility between all stakeholders” will impact healthcare delivery organizations and manufacturers:
For manufacturers, this means they must address cybersecurity during the design and development of the medical device in accordance with guidelines and industry best practice documentation. These actions are designed to create more robust and efficient risk mitigation.
Manufacturers must establish and follow Quality System Regulation (QSR) in 21 CFR Part 820, which is relevant to premarket, post-market, or both. One of the methods to satisfy the QSR requirement is for manufacturers to develop a Secure Product Development Framework (SPDF).
A Secure Product Development Framework (SPDF) is designed to account for all states of a device’s lifecycle, which helps establish software validation and risk analysis processes to demonstrate that the devices have a reasonable assurance of safety and effectiveness. Additionally, this helps manufacturers and HDOs with a cybersecurity vulnerability and management approach.
Although the above sounds positive and a move in the right direction, the bill is ambiguous and non-prescriptive. The language within the bill indicates that manufacturers must demonstrate “reasonable” assurance of safety and effectiveness and support “timely” corrective and preventive action (CAPA)
activities. This type of language does not define what is reasonable or timely, allowing manufacturers to potentially drag their feet, leaving HDO’s in the dark.
Here are some items an HDO should consider:
• Update your contract language, and ensure you have controls and protection mechanisms in your contracts as you procure these devices affected by this bill.
· Specify what is acceptable for your organization and what is not; for instance, you expect a patch to be available within 30 days of an identified vulnerability. Also, clarify how the patch will be performed. Is this available for the internal team to perform, or does the manufacturer have to do it? Does it require local access, or can it be conducted remotely?
· Also, is there a fee associated with the work the manufacturer performs? Does your support contract cover this type of work, or is this a T&M process? Nail down your specifics, as this could drastically change the costs associated with your support agreements, make sure you properly budget for this.
• Establish governance, covering your security protocols and what you need, and how you expect to secure medical devices and the manufacturer to secure them. Just because manufacturers are to offer more inherent security controls and opportunities for compensating controls doesn’t mean the device will come in through the loading dock fully hardened and ready to meet your security requirements.
• Audit devices when they are procured and in the process of being onboarded. Ensure the device has no current open vulnerabilities, install agents (if applicable) at delivery time, enable controls, and ensure the device meets the specified contract language.
· Hold the vendor accountable and put the effort back on the manufacturer to harden the device during this time.
· Audit the applied controls and security during preventative maintenance and corrective maintenance intervals and check the manufacturer websites, portals, and bulletins for updates to these controls.
• Establish a process for onboarding these new devices. Record the asset information in the computerized maintenance management system (CMMS) and include the applied or enabled controls.
· Record and set a schedule for the patching cadence set forth by the manufacturer and any other pertinent information supplied by the manufacturer to assist in coordinating vulnerability and risk disclosures.
In the end, these rules create a new standard of acceptance from the FDA and suggest that new device submissions that don’t do not adequately demonstrate adherence to the new requirements will likely be refused and not cleared for use. Providers can leverage these rules to enact stronger expectations for their medical device vendors in an effort to strengthen overall device posture.