FDA's has issued its final guidance on integrating cybersecurity into quality system and premarket submissions. Excerpted from our interview with Kevin Fu, "Of SBOMs and Threat Models: An Expert’s View of New FDA Cybersecurity Guidance."
Cybersecurity in medical devices has gone from being a regulatory backwater that was largely ignored by product companies just a decade ago to an area that is now top of mind for the medtech industry, regulators, and legislators. On September 26 FDA issued its highly anticipated final guidance document on how cybersecurity needs to be integrated into a device manufacturers’ quality system and premarket submissions. In addition, on Capitol Hill, Congress passed and President Biden signed into law an omnibus bill (the 2023 Omnibus Appropriations Act) that includes several medtech cyber provisions, a number of which industry had long sought.
The history of the omnibus bill is an example of how the attitudes and awareness of legislators and regulators have evolved when it comes to cyber threats. The omnibus bill’s cyber provisions have their roots in what was called the PATCH (Protecting and Transforming Cyber Health Care) Act, many parts of which had been promoted by industry for years before the bill was introduced in 2021 with several provisions ultimately included in the omnibus legislation. The basic goal of the PATCH Act was to protect against cyberattacks by outlining a minimum standard of cyber requirements for the pre- and postmarket phases of a device's lifecycle.
The omnibus bill takes that further by laying out how extensive the FDA's new authority on cybersecurity will be. Under this legislation, all device companies submitting applications to the FDA must demonstrate that their product meets these cyber standards. In the past, cybersecurity was often assessed separately from the safety and effectiveness of the device, frequently being incorporated as an add-on to the final product. The current legislation is intended to ensure that devices are now secure by design, and that security extends throughout the viability of a device by using a TPLC (Total Product Life Cycle) approach to cyber protection.
To guide our readers through this recent and ongoing government-wide focus on cybersecurity, we once again called on Kevin Fu, who has previously joined us for a series of conversations helping to explain this complex and rapidly evolving area. Fu is a pioneer in the medtech cybersecurity space—he launched the Archimedes Center at his lab at the University of Michigan to study this area and work with industry and healthcare institutions to more effectively understand and defend against this growing threat. He then moved on to become the first medtech cyber czar at the FDA, leaving recently to return to academia, transferring his lab, including the Archimedes Center, to Northeastern University in Boston.
In a wide-ranging interview with Market Pathways, Fu explains how the recent FDA guidance document outlines what the agency expects from device companies in terms of the evidence they must provide to demonstrate that their product meets current cyber standards. notably is the use of tools such as the SBOM (“s-bomb”: software bill of materials) to identify software, including that from third parties, utilized in devices, and threat modeling to protect against the evolving global nature of cyber threats from state, as well as individual, actors. In addition, Fu speaks to the importance of international bodies, most notably the IMDRF (International Medical Device Regulators Forum) and how that group’s guidance documents help harmonize global efforts to combat medtech cybersecurity risks.