New FDA Medical Device Cybersecurity Requirements and How to Simplify Compliance
New regulations require any medical device that uses software to collect and transmit data to be protected against potential cybersecurity threats. These types of devices both monitor and save lives, so ensuring the security of medical devices is critical. However, the new requirements significantly increase compliance pressures on manufacturers, which could slow efforts to bring important new devices and capabilities to market.
Fortunately, despite the rigor of these looming requirements, compliance doesn't have to be a headache.
New Medical Device Cybersecurity Requirements
The Consolidated Appropriations Act of 2023, also known as the US Omnibus Bill, was signed into law on December 29, 2022. Section 3305 of this act includes provisions that will significantly impact the healthcare industry, especially regarding the cybersecurity of medical devices that require premarket review by the Food and Drug Administration. The act amended the Federal Food, Drug, and Cosmetic (FD&C) Act, giving explicit statutory authority to the FDA to regulate the cybersecurity of medical devices. As of March 29, 2023, the FD&C Act now includes Section 524B, "Ensuring Cybersecurity of Devices," which outlines key provisions that medical device manufacturers must adhere to. These provisions include the following:
- A cyber device is defined as a device with software that is validated, installed, or authorized by the manufacturer as a device or in a device, which can connect to the internet, and contains technological characteristics validated, installed, or authorized by the manufacturer that could be vulnerable to cybersecurity threats.
- Any submissions or applications that meet the definition of a cyber device are subject to the section’s cybersecurity requirements.
- Manufacturers must be able to offer reasonable assurance that the device is cybersecure and can be updated and patched to address unacceptable or critical vulnerabilities.
- Manufacturers must provide documented evidence — such as an SBOM (software bill of materials) for commercial, open-source, and off-the-shelf software components.
Manufacturers must also demonstrate reasonable assurance that the device and related systems are cybersecure.
Healthcare IoT Devices Need More Protection
Malicious actors increasingly target sensitive patient data — and organizations must manage more of it every day. As the medical Internet of Things (IoT) grows and becomes increasingly complex, so does the amount of data created. These and other factors have combined to increase healthcare cybersecurity risks.
However, the onus of securing devices and data goes beyond healthcare organizations. According to the International Medical Device Regulators Forum, medical device manufacturers also bear a shared responsibility.
The FDA has been aware of the challenge for more than a decade, ever since it published a guidance document titled, “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software.” Now, regulatory developments appear to be catching up.
Stricter requirements are looming in many regions. For example, the European Cyber Resilience Act proposes new European Union (EU) cybersecurity rules, which would subject manufacturers deploying devices in the EU to a new set of criteria to ensure safer hardware and software. This includes establishing processes and actions to prioritize security at every stage of a product’s life cycle.
Securing Medical Devices Through Compliance
Manufacturers will need to adapt quickly to keep pace with the evolving compliance landscape. This includes meeting pre-existing industry safety and security standards.
One such safety certification is IEC 62304, which provides assurance that a device has been designed and tested in accordance with industry standards for safety and performance. This certification helps to ensure that devices are safe, reliable, and effective in their intended use.
For devices to be considered safe, manufacturer processes that manage risk must also be assessed. ISO 14971 is a standard that helps medical device manufacturers improve their risk management. Compliance with this standard involves identifying potential risks associated with a device, analyzing those risks, and implementing measures to mitigate them. This helps maintain the integrity of the device to ensure patient safety. This risk management practice also includes assessing and mitigating security risks that relate to ensuring medical device safety.
Compliance with industry standards is just one part of a larger effort to promote the safety and security of medical devices. Continuous monitoring and improvement are also needed to stay ahead of an ever-evolving cyberthreat landscape.
How BlackBerry QNX Simplifies Compliance
BlackBerry QNX offers industry-leading, standards-compliant software solutions to help secure medical devices throughout the entire product lifecycle. This includes:
- The highly trusted QNX® Neutrino® RTOS (real-time operating system) provides a safe foundation for building software-powered devices in every industry where reliability matters. The latest release is built on a next-generation microkernel to provide the scalability for powerful new CPUs, providing safety, security, and high performance for embedded software developers. BlackBerry® QNX® technology reduces friction for developers because QNX in the cloud allows you to develop software without requiring access to dedicated hardware devices during the development process.
- BlackBerry QNX supports system-wide security policies to prevent malicious actions, such as denial-of-service attacks like “fork bombs.” In this type of attack, very small pieces of code replicate until they deplete system resources and ultimately cause a system crash.
- Device security, anti-counterfeiting, and product authentication features provide supply chain security with the use of public key infrastructure, code signing, and other applied cryptography and key management solutions.
- BlackBerry® QNX® Security Services include cyber risk assessments, threat modeling, security strategy, and governance, along with binary scanning for software composition analysis and security testing. The BlackBerry QNX services team can also help you to detect and list open-source software and uncover potential cybersecurity vulnerabilities and exposures.
BlackBerry QNX provides continuous support for security vulnerability monitoring and remediation.
Today’s Challenges Are Tomorrow’s Opportunities
Whether updating an existing medical device or developing a new one that requires pre-market FDA approval, BlackBerry QNX has solutions to address your cybersecurity needs and help ensure compliance. To learn more about how your organization’s cybersecurity needs can benefit from the BlackBerry QNX suite of solutions, contact the BlackBerry QNX team.
Join industry experts at the in-person forum, "Cybersecurity for Medical Devices — from Regulation to Surveillance," to get up to speed on the latest FDA regulations on medical device security. Locations: Boston (Newton, MA) June 15 and Silicon Valley (Sunnyvale, CA) June 22. Learn more and register.
For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry Blog.