FDA Authorized to Establish New Cybersecurity Standards for Medical Devices: What it Means for Industry

On December 29, 2022, President Biden signed a new statute that will significantly impact medical device cybersecurity regulation. Section 3305 of the Consolidated Appropriations Act of 2023 (“Section 3305”) authorizes the Food and Drug Administration (FDA) to establish cybersecurity standards for medical devices.[1]

Background

The proliferation of the internet of things (IoT) [2] into healthcare has had profound benefits for patient care, but it has also presented unique cybersecurity challenges for device manufacturers, healthcare providers, third-party device servicers, and patients. Last year, the Federal Bureau of Investigation’s (FBI) Cyber Division warned that cybersecurity vulnerabilities in medical devices have the potential to impact patient safety, healthcare facility operations, data confidentiality, and data integrity [3]. In fact, concerns with medical devices such as IV pumps have been discussed for at least ten years, with concerns that threat actors could remotely change dosages or make IV pumps free-flowing via a wireless or Bluetooth attack resulting in catastrophic injury or death to patients. 

The FBI noted that the average medical device remains in active use for 10 to 30 years, though software update life cycles vary and are specified by each individual manufacturer. These software life cycles range from a couple of months to the device’s maximum life expectancy. This, the FBI says, allows cyber threat actors time to discover and exploit vulnerabilities. This threat is particularly acute for legacy medical devices with outdated software because they do not receive manufacturer support for patches or updates intended to mitigate identified vulnerabilities and such legacy hardware does not have modern encryption capabilities.

The financial impact of the cyber threat on the medical industry is enormous. A survey conducted by the Ponemon Institute found that 50% of hospitals faced some kind of ransomware attack. These attacks often target critical but very common medical devices like MRI machines and heart rate monitors—which were involved in 88% of data breaches [4]. The survey also indicates that, on average, companies paid between $250,000 and $500,000 per ransomware attack. While cyberattacks targeting medical devices do not typically result in the exposure of protected health information (PHI), cybercriminals often infiltrate medical devices to gain access to IT systems that host such data. In the event that PHI is exposed, IBM Security's annual Cost of a Data Breach Report, reports that the average cost of such a healthcare data breach is a record high of $10.1 million [5].

In response to growing cyber threats across critical industries, the U.S. federal government is expected to release a revised National Cybersecurity Strategy on or around February 14, 2023, which will seek to implement a federal “whole-of-government” approach to cybersecurity. In particular, the new National Cybersecurity Strategy is understood to direct a more assertive, enforcement-oriented approach to U.S. government cybersecurity regulation.

Concurrently, the healthcare industry is subject to increasing scrutiny of cybersecurity of medical devices, catalyzed by congressional enactment of Section 3305.

Section 3305

Section 3305 seeks to address growing cybersecurity concerns associated with medical devices by authorizing the FDA to implement and enforce new cybersecurity regulatory standards for premarket submissions of medical devices to ensure that devices are secure from the time they are introduced into the market. Under the new provisions, a party that submits a premarket medical device application must provide to the FDA Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits. The plan must include coordinated vulnerability disclosure and related procedures.

As part of the premarket medical device approval process, manufacturers will be required to design, develop, and maintain a process and procedure to provide reasonable assurance that the device and related systems are cybersecure and make available post-market software and firmware updates and patches to the device and related systems to address:

• On a reasonably justified regular cycle, known unacceptable vulnerabilities; and
• As soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risk.

In addition, medical device applicants will be required to submit to the FDA a software bill of materials (“SBOM”), including commercial, open-source, and off-the-shelf software components.

Medical devices are defined broadly under 21 U.S.C.S. 321(h)), however, medical device manufacturers must comply with the new requirements if their device is determined to be a “cyber device.” Section 3305 defines “cyber devices” as devices that:

• Include software that is validated, installed, or authorized by the sponsor;
• Has the ability to connect to the internet; and
• Contains any technological characteristics that could be vulnerable to cybersecurity threats.   

These new rules are set to take effect 90 days after the passage of the omnibus or on March 22, 2023. Any applications submitted before this date are not subject to the new requirements. Once the law is effective, medical device manufacturers will need to comply with Section 3305 in order to avoid regulatory liability risk.

FDA Rulemaking and Public Guidance

Although Section 3305 identifies what types of medical devices are subject to the new requirements, other terms like “cybersecure,” “reasonable,” and “vulnerability” lack clarity in the statute. Section 3305 directs the FDA, in consultation with the Cybersecurity and Infrastructure Security Agency (CISA), to promulgate new rules for medical device cybersecurity no later than December 29, 2024. As part of the rulemaking process, the FDA is also instructed to solicit and receive feedback from device manufacturers, healthcare providers, third-party device servicers, patient advocates, and other appropriate stakeholders.     

Additionally, Section 3305 requires the FDA to update public guidance regarding improving the cybersecurity of medical devices within 180 days, and annually thereafter. The guidance will include information on identifying and addressing cyber vulnerabilities for healthcare providers, health systems, and device manufacturers, and how to engage with U.S. government resources to improve the cybersecurity of devices.   

Penalties

Section 3305 makes non-compliance with any FDA requirement related to ensuring medical device cybersecurity a civil offense under the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 33). Punishment may include a penalty not to exceed $15,000 for each such violation, and not to exceed $1,000,000 for all such violations adjudicated in a single proceeding. Additionally, non-compliant medical device manufacturers may be considered in violation of medical device application regulations.

Whole of Government Approach to Cybersecurity

Complementing Section 3305 and in the context of numerous prominent cyber-attacks in recent years against a range of high-profile targets across various industry sectors, including (among others): SolarWinds in 2020, Microsoft Exchange in 2021, Colonial Pipeline in 2021, and Advocate Aurora Health in 2022, the U.S. government has responded with a “whole of government” approach to addressing cybersecurity in critical industries. These parallel efforts include:

• On March 15, 2021, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires critical infrastructure owners and operators to report material security incidents within 72 hours and ransom payments within 24 hours to CISA. For more, see the Ankura coverage here.
  
  
• On May 12, 2021, President Biden issued an Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity. EO 14028 improves the security of software supplied to the U.S. government and consumers by establishing baseline security standards for the development of such software, including requiring developers to maintain and provide greater visibility into different components that are used within their software and requiring vendors to make such security data publicly available. For more, see the Ankura coverage here.
  
  
• On November 3, 2021, the Department of Defense (DoD) issued an Advanced Notice of Proposed Rulemaking (ANPR) that changes the scope, structure, and roll-out of its Cybersecurity Maturity Model Certification (CMMC) efforts. For more, see the Ankura coverage here.
  
  
• On February 4, 2022, National Institute for Standards and Technology (NIST) published Special Publication 800-218 “Secure Software Development Framework (SSDF) V1.1 (“NIST SP 800-218v1.1”), which seeks to establish “a core set of high-level secure software development practices that can be integrated into [software producers’ software development processes].” For more, see the Ankura coverage here.

Key Takeaways for Industry

For those applying for FDA approval of a medical device that falls under Section 3305’s definition of “cyber device,” now is the time to start preparing for the FDA’s soon-to-be-implemented rules and forthcoming regulations on medical device cybersecurity. That means:

• Developing a plan to identify and address post-market cybersecurity vulnerabilities and exploits;
• Designing and maintaining a process to provide reasonable assurance that the device and related systems are cybersecure and make available post-market software updates on a reasonably justified regular schedule;
• Creating a procedure to address critical vulnerabilities that could cause uncontrolled risks as possible out of cycle;
• Developing and documenting a secure software development approach and process; and
• Compiling a SBOM.

Healthcare providers should also coordinate with their clinical engineering teams to ensure that updated software/firmware as well as whitepaper releases are being received and installed in a timely manner. Further, an assessment of potential increased staffing should be considered as section 3305 compliance from manufacturers may result in a tsunami of necessary patches and firmware updates being released which may tax the ability of current clinical engineering teams to promptly respond.

How Can Ankura Help

• The Ankura National Security, Trade & Technology (NSTT) practice is a tight-knit, cross-functional team of former government contractor compliance executives, former in-house counsel, former federal prosecutors, engineers, cybersecurity subject matter experts, and policy professionals. The Ankura NSTT team can facilitate the establishment of secure software; firmware; hardware development environments, and supply chain risk management (SCRM) programs that meet both business objectives as well as regulatory requirements.
• Governance Program Implementation – Ankura has a deep bench of former in-house compliance counsel, federal prosecutors, federal law enforcement, and cybersecurity experts who can work with organizations to identify their regulatory requirements and build a right-sized compliance program.
• Secure Software Development – The Ankura team has extensive experience working with companies to develop, operationalize, and verify secure software development practices which meet the expectations and standards of federal agency regulators. The Ankura NSTT team has deep experience assessing software development programs as a fiduciary of U.S. federal agencies in complex Committee on Foreign Investment in the U.S. (CFIUS) National Security Agreements (NSAs).
• Cybersecurity Program Maturity Assessments – Ankura offers an in-depth look at clients’ cybersecurity program maturity through the NIST SP 800-171, NIST SP 800-53, FedRAMP,  NIST SP 800-218, and other prevailing control regimes. These assessments not only help guide organizations through the controls but allow clients to build an assurance case for use in an audit.
• Technical Cybersecurity Assessments – The Ankura team's extensive experience working with critical infrastructure organizations means that it is well-positioned to conduct credible cybersecurity assessments of companies that fall into one of the categories identified in this legislation. This includes best practice assessments of cybersecurity programs, as well as technical security testing such as vulnerability and penetration tests.
• Penetration Testing – The Ankura technical cybersecurity team is an expert in performing both network penetration tests, as well as white-box and black-box software testing. The Ankura cybersecurity team works with software developers and operational technology (OT) device manufacturers to ensure their development environments are secure from advanced threat actors.

[1] https://www.congress.gov/bill/117th-congress/house-bill/2617/text

[2] Internet of Things refers to devices that have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface (e.g., Ethernet, Wi-Fi, Bluetooth) for interfacing with the digital world. Source: https://csrc.nist.gov/glossary/term/iot_device

[3] https://www.ic3.gov/Media/News/2022/220912.pdf

[4] https://www.censinet.com/impact-of-ransomware-on-patient-safety-and-value-of-cybersecurity-benchmarking

[5] https://www.ibm.com/reports/data-breach

© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.