FDA Cybersecurity Regulations Add Medical Device Requirements

As more medical devices are produced to function wirelessly and with network capabilities, the risk of disruptions and even negative health outcomes as the result of a network breach becomes a serious concern for medical device manufacturers. New FDA cybersecurity regulations went into effect on March 29, 2023, requiring applications for the production of new devices to include plans for monitoring and addressing possible vulnerabilities. This blog will cover the newly added requirements and plans manufacturers should have in place to achieve compliance. 

Under the new regulations, the sponsor of a submission to the FDA must submit a plan to “monitor, identify, and address…postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure.” This means that it’s not enough to check for vulnerabilities before release—exposure to end-users inevitably raises new challenges, so manufacturers must have documented cybersecurity risk management procedures for identifying, disclosing and resolving vulnerabilities after their product reaches the market.  

Additionally, manufacturers should have documented evidence of their cybersecurity procedures so they can provide the FDA with a “reasonable assurance” that the device is cybersecure. Once the product hits the market, they should also have processes in place both to patch their device on a regular basis and to make timely out-of-cycle updates so they can address critical vulnerabilities before an incident occurs. 

Finally, manufacturers should provide the FDA with a “software bill of materials” that covers the components they’ve purchased off-the-shelf and developed using open-source tools. By tracking the software components that a given device shares with others on the market, the FDA makes it easier to determine when a vulnerability that’s been discovered in one device might be applicable to others. 

These new rules require both the implementation of new cybersecurity controls and the drafting of procedures to disclose those controls to regulators. Especially as professionals hurry to compile controls across domains, it can be challenging to keep all of the new data organized. With a cybersecurity risk management platform like ProcessUnity for Cybersecurity Risk Management, you can track your cybersecurity controls and policies within a single platform. This platform enables your team to track the risks you’ve identified within a risk register, enabling faster action when it comes time to target vulnerabilities and release patches. Finally, with configurable reporting, ProcessUnity makes it easier than ever to deliver the information you need in a matter of seconds.