This article is co-written with Andy Watkin-Child, founding Partner of Parava Security Solutions, a consultancy specialising in helping leaders manage cybersecurity risks.
Reliance on digital infrastructure is creating increasing cyber risks for all organisations, and for those operating in the healthcare sector this includes the risk inherent in medical devices which rely on software. The US recently passed a law requiring medical devices to meet cyber security standards for Food and Drug Administration (FDA) authorisation, and the EU and UK are moving in the same direction.
In this article, we look at the evolving regulatory position.
The US 2023 Consolidated Appropriations Act signed into law medical device cybersecurity
On 29 December 2022, the U.S President signed into law the ‘Consolidated Appropriations Act 2023’. This is the Omnibus spend that packages smaller appropriation bills into a single larger bill that can be passed by U.S Congress. The Act signed into law $1.7 trillion to fund U.S federal Government for 2023, apportioning spending across a wide range of Federal activities and laws.
The Act is a significant piece of legislation that funds federal agencies, departments and administrations that includes the Food and Drug Administration (FDA) for the forthcoming year. It has also been known to pass regulations and laws, and the 2023 Consolidated Appropriation Act was no exception. Under ‘TITLE III – FOOD AND DRUG ADMINISTRATION, Subtitle C – Medical devices‘, a requirement for ‘ENSURING CYBERSECURITY OF MEDICAL DEVICES)’ was signed into law (SEC 3305) which is effective from 29 March 2023, 90 days from the enactment of the Act.
The requirement applies to medical device manufacturers who submit device applications to the FDA under section 510(k), 513, 515(c), 515(f), or 520(m) and meet the definition of a ‘cyber device’, meaning devices that have software installed; have the ability to connect to the internet and have technical characteristics that could result in a vulnerability to cybersecurity threats. Where this is the case the manufacturer or sponsor of an application must:
- Submit a plan as to how they will monitor, identify, and address as appropriate, in a reasonable time, post market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.
- Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure. By making available post market updates and patches to the device and related systems to address known unacceptable vulnerabilities, and critical vulnerabilities that could cause uncontrolled risks.
- Provide a software bill of materials (SBoM), including commercial, open-source, and off-the-shelf software components.
- Comply with such other requirements as the FDA may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.
This is a significant development for medical device manufacturers globally. It opens the way for the FDA to mandate cybersecurity risk management of medical devices that includes vulnerability and patch management, the management of the Software Development Lifecycle and attestation over product cybersecurity.
On 1 March 2023 the U.S president signed the National cybersecurity strategy. That formalises U.S cybersecurity strategy by the Executive Office. It lays the ground for further cybersecurity regulation in the U.S that will affect Critical National Infrastructure(CNI) providers, including the healthcare sector. The U.S Securities and Exchange Commission has also proposed cybersecurity risk management regulation that will affect public firms covered under the Securities and Exchange Act 1934, which is expected to be released before the end of H1 2023 and is a further sign that cybersecurity regulation is being taken seriously.
The position in the EU and UK
The FDA requirement comes at a time when regulators are introducing cybersecurity risk management regulation globally. The European Union released directive (EU) 2022/2555 on 14 December 2022 (known as EU NIS 2.0) and has to be transposed by Member States within 21 months. EU NIS 2.0 affects Critical National Infrastructure (CNI) providers, that includes the health sector and the manufacturers of medical devices considered to be critical during a public health emergency under Article 22 of regulation (EU) 2022/123. It requires organisations that manufacture covered medical devices to implement cybersecurity risk management; appropriate corporate governance processes for the oversight and assurance of cybersecurity risks; evaluate control effectiveness and attest to the effectiveness of the risk treatments performed. These requirements will sit alongside those addressed in EU medical device regulation.
While in the UK it remains to be seen how the government will implement the outcome of its consultation on proposals to improve the UK’s cyber resilience, including by updating the current Network and Information Systems Regulations 2018 (SI 2018/506) (NIS Regulations), steps are already being taken towards regulating cybersecurity risk in medical devices.
The government proposes to include cybersecurity as an essential minimum requirement for software as medical devices. This proposal arises from a consultation on future regulation carried out in 2021, in response to which industry broadly welcomed the introduction of cyber security requirements and recommended alignment with international frameworks and standards. As a result, the government intends to introduce a requirement akin to EU MDR General Safety and Performance Requirement (GSPR) 17.4 (for medical devices) and EU IVDR GSPR 16.4 (for IVDs) covering cybersecurity and associated requirements. And building on this, the MHRA’s Software and AI as a Medical Device Change Programme, includes mitigating cybersecurity risks as one of its work packages.
For further information, please contact:
Jamie Foster, Partner, Hill Dickinson