FDA Cybersecurity Guidelines for Medical Devices: 2024 Guide

7  min read | 17/04/2024

Shlomit Cymbalista
Shlomit Cymbalista
Emily Holmquist
Emily Holmquist

With the recent updates to cybersecurity guidelines for medical devices and the expanded authority granted to the FDA for enforcement, there is a wealth of information to explore. This article will delve into everything you need to know about these developments.

Before delving into the details, let’s start by covering the fundamentals:

What Is the Food and Drug Administration (FDA) and How Does It Oversee Medical Devices? 

The Food and Drug Administration (FDA) is a federal agency of the United States Department of Health and Human Services, tasked with protecting public health by ensuring the safety, efficacy, and security of human and veterinary drugs, biological products, and medical devices. It also oversees the nation’s food supply, cosmetics, and products that emit radiation. 

The FDA plays a critical role in regulating the design, manufacturing, distribution, and post-market surveillance of medical devices, ensuring that those available to the American public meet strict safety and effectiveness standards. As the oldest consumer protection agency in the U.S., the FDA sets some of the world’s most responsible standards for quality.

To oversee medical devices, the FDA uses a regulatory framework that classifies devices based on the risk they pose to the patient and/or user. Class I devices are deemed to pose the lowest risk and are subject to the least regulatory control. Class II devices are higher risk and require more regulatory controls to provide reasonable assurance of the device’s safety and effectiveness. Class III devices are considered the highest risk and generally require premarket approval (PMA), a scientific review to ensure the device’s safety and effectiveness. 

Beyond classification, the FDA also requires manufacturers to adhere to Quality System (QS) regulations, which cover the device’s design, production, labeling, and more, to ensure quality and safety throughout a product’s lifecycle.

This is part of a series of articles about medical device cybersecurity

 

What Are the New Cybersecurity Guidelines for Medical Devices? 

On September 27, 2023, the FDA issued a major update to its cybersecurity guidelines for medical devices through a guidance paper titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” (download the paper here and find a summary of the essentials in our Regulation Learning Center). This guidance supersedes the 2014 guidance, with detailed recommendations on cybersecurity risk assessments, interoperability, and the required documents for premarket submissions. 

The updated guidance is underpinned by the new authority granted to the FDA by the Food and Drug Omnibus Reform Act (FDORA), part of the Consolidated Appropriations Act for 2023. This act authorizes the FDA to mandate cybersecurity information in submissions for “cyber devices” and ensures that manufacturers demonstrate these devices are “cybersecure.” Cyber devices are medical devices incorporating software that, according to the March 2024 FDA update, are network-capable (e.g. can connect to the internet or an intranet) and are thus susceptible to cybersecurity threats. 

The above mentioned Omnibus Bill specifies requirements for premarket device submissions, including: 

  • Plans for postmarket cybersecurity vigilance
  • Processes ensuring device cybersecurity
  • A software bill of materials
  • Adherence to additional FDA regulations ensuring device and system security

Since publication of the new guidelines and the omnibus bill granting the FDA new authority, FDA has been issuing refuse to accept (RTA) letters when manufacturers submit a “cyber device” that does not meet the new cybersecurity requirements. An RTA means that the FDA won’t carry out a review of a submission for a new medical device, because it did not meet the basic cybersecurity requirements or has any missing information.

 

The General Principles of FDA’s Medical Device Security Guidelines 

Here is an outline of the general principles covered by the new guidelines.

Secure Product Development Framework (SPDF)

The Secure Product Development Framework (SPDF) is a comprehensive set of processes designed to identify and mitigate vulnerabilities throughout a product’s lifecycle, including its design, development, release, support, and eventual decommission. By focusing on reducing the number and severity of vulnerabilities, an SPDF helps in minimizing the exploitability of devices, reducing the potential for patient harm.

Implementing an SPDF aids in meeting the Quality System (QS) regulation requirements. It also serves as a proactive measure against cybersecurity threats. This framework can be integrated with a manufacturer’s existing product development, risk management, and quality systems. The FDA encourages the use of an SPDF due to its effectiveness in compliance and cybersecurity. To learn more about the specific cybersecurity recommendations included in the SPDF, see the following section.

Designing for Security

The FDA evaluates a device’s cybersecurity in premarket submissions based on various factors, including its ability to meet specific security objectives given its architecture. These objectives encompass authenticity, authorization, availability, confidentiality, and secure, timely updatability and patchability. 

Information provided in FDA submissions should detail how these objectives are incorporated into the device design, considering factors like intended use, data interfaces, environment of use, and the risks associated with cybersecurity vulnerabilities. The design process must aim to reduce vulnerabilities and their exploitability, thus lowering the risk of patient harm. 

A follow up article diving deeper into security risk management is coming soon.

Transparency

Transparency in cybersecurity is essential for the safe and effective use of medical devices. Manufacturers must provide users with necessary information about the device’s cybersecurity controls, potential risks, and other relevant details. 

This includes coordinated vulnerabilities disclosures of  new zero day vulnerabilities,  new known vulnerabilities, communication interfaces, third-party software (e.g. via Software Bill of Materials (SBOM)), and instructions for secure configuration or updates. Such transparency is important for users to understand the device’s resilience to cybersecurity threats and how to manage those threats effectively.

Submission Documentation

The level of cybersecurity documentation required in premarket submissions scales with the device’s cybersecurity risk. Manufacturers should consider the broader system in which the device operates. The documentation should demonstrate a reasonable assurance of safety and effectiveness, reflecting comprehensive design controls and cybersecurity risk assessments conducted during the device’s development. 

The FDA’s guidance on premarket submissions emphasizes the importance of including cybersecurity information to support the assessment of a device’s safety and effectiveness.

 Find the full list of required documents for submission in Appendix 4 of the guidance (page 45)

9 FDA Recommendations for Managing Cybersecurity Risks

As part of its Secure Product Development Framework (SPDF), the FDA recommends the use of the following techniques and tools to help identify and mitigate cybersecurity risks in medical devices.

1. Threat Modeling

Threat modeling aids in identifying and addressing potential cybersecurity threats within medical device systems. It helps in understanding security risks and vulnerabilities across the system and defines countermeasures to mitigate these threats. 

The FDA recommends incorporating threat modeling throughout the device’s design process to ensure comprehensive risk identification and control. This modeling should include assumptions about the device system or its ecosystem, such as network security, and consider cybersecurity risks introduced through the supply chain and various lifecycle stages. 

Use the MITRE threat modeling playbook to help plan out your program.

2. Cybersecurity Risk Assessment

Cybersecurity risk management ensures that devices are designed with security in mind to mitigate potential threats. Manufacturers should integrate security risk management with their overall quality system, addressing it throughout the Total Product Life Cycle (TPLC). This involves focusing not just on physical injuries but also on risks that could indirectly harm patients due to cybersecurity vulnerabilities and among others, meeting the following standards for security risk management: AAMI TIR57 (premarket), ANSI/AAMI SW96, and AAMI TIR97 (postmarket).

The FDA recommends establishing security risk management processes that cover design, manufacturing, and distribution phases, along with post-market updates, emphasizing the importance of considering the broader system in which a device operates.

3. Interoperability Considerations

Interoperability between medical devices and other systems introduces additional cybersecurity considerations. Manufacturers should ensure that cybersecurity risks associated with interoperable functionality are assessed and controlled. 

This includes evaluating connections with other medical devices, healthcare infrastructure, and general-purpose computing platforms. Implementing cybersecurity controls should facilitate safe and effective information exchange without unnecessarily complicating or hindering device interoperability.

4. Third-Party Software Components

The use of third-party software components in medical devices requires thorough cybersecurity risk assessment and management. Manufacturers must document all software components and mitigate associated risks. 

This includes assessing third-party software for cybersecurity risks and ensuring compliance with design controls and supplier management requirements. Manufacturers should also have plans for updating or replacing third-party software components as needed to address security concerns or end-of-support issues.

5. Software Bill of Materials (SBOM)

An SBOM is crucial for understanding and managing cybersecurity risks associated with software components within a medical device. It should list all software components, including third-party and open-source software, and their dependencies. 

An SBOM helps in identifying devices and systems that might be affected by vulnerabilities in these components. The FDA requires including SBOM documentation in premarket submissions to assist in evaluating device risks related to cybersecurity.

6. Security Assessment of Unresolved Anomalies

Manufacturers should assess the security implications of software anomalies or vulnerabilities discovered during development or testing. This involves evaluating the potential impact on device safety and effectiveness and determining appropriate control measures. 

Documentation of these assessments, including any unresolved anomalies, should be included in premarket submissions to the FDA.

7. TPLC Security Risk Management

Cybersecurity risks should be managed throughout the device’s total product lifecycle (TPLC). Manufacturers need to update their security risk management documentation as new information becomes available and ensure that the device remains safe and effective against evolving cybersecurity threats. 

TPLC risk management includes maintaining updated documentation on threat modeling, cybersecurity risk assessments, and SBOMs.

8. Implementation of Security Controls

Effective cybersecurity relies on the implementation of robust security controls within the device design. These controls should address authentication, authorization, cryptography, data integrity, confidentiality, event detection and logging and other critical security objectives. 

Manufacturers should document the implementation and testing of these controls in premarket submissions to demonstrate their effectiveness in mitigating cybersecurity risks.

9. Cybersecurity Testing

Comprehensive cybersecurity testing is essential to validate the effectiveness of security controls and the device’s resilience against cyber threats. This includes testing for vulnerabilities, penetration testing, assessing the device’s response to security incidents and verification and validation testing (V&V) of the security controls mentioned in section 8.

Manufacturers should provide detailed documentation of cybersecurity testing methods, results, and any corrective actions taken to address identified vulnerabilities in premarket submissions.

Visit our Regulation Learning Center to learn more about the new FDA guidelines

 

Better Security Controls to Meet Regulatory Requirements with Sternum: Deterministic Security for IoT

Sternum is an IoT security and observability platform, which lets you meet and exceed the security requirements of standards and regulations such as AAMI’s TIR 57, UL 2900 and the FDA Cybersecurity Guidance.

Embedded in the device itself, Sternum provides deterministic security with runtime protection against known and unknown threats; complete observability that provides data about individual devices and the entire device fleet; and anomaly detection powered by AI to provide real-time operational intelligence.

Sternum operates at the bytecode level, making it universally compatible with any IoT device or operating system including RTOS, Linux, OpenWrt, Zephyr, Micrium, and FreeRTOS. It has low overhead of only 1-3%, even on legacy devices. 

 

Here is how Sternum can help you improve IoT security to meet regulatory requirements:

  • Agentless security – integrates directly into firmware, making it a part of the core build. This ensures that the solution cannot be externally compromised and leveraged as a point of failure.
  • Automatic mitigation of known and zero-day threats – prevents 96.5% attacks in benchmark (RIPE) security tests. Its vulnerability-agnostic approach makes it equally effective in dealing with known and zero-day threats. This not only improves security but can also cut security patch management costs by as much as 60%.
  • Supply chain protection – relies on binary instrumentation, making it able to protect all running code. This extends to 3rd party and operating system libraries, effectively preventing most common supply chain exploit attempts. 
  • Protection of isolated devices – does not rely on external communication to secure devices, making it equally effective for connected and isolated devices.
  • Live attack information – real-time alert system notifies about all blocked attacks, providing – for each – detailed logs and attack path analysis. 
  • Streamlined compliance – helps meet the latest cyber regulations for IoT devices (IEC 62443, FDA, NIST CSF 2.0, etc) and the most current FBI recommendations for Internet of Medical Things (IoMT) endpoint protection.

Learn more about Sternum for IoT security

Related content: Read our guide about security by design

JUMP TO SECTION

Enter data to download case study

By submitting this form, you agree to our Privacy Policy.