Healthcare: FDA Guidance on Medical Device Cybersecurity

Updated April 14, 2023 - 

In December last year, the Consolidated Appropriations Act, 2023 (H.R. 2617) -an omnibus appropriations bill to fund the U.S. government for fiscal year- was signed into law. This included section 3305, which contained a variety of provisions impacting healthcare and medical device security requirements for manufacturers to ensure that devices met select cybersecurity requirements.

A few months later, at the end of March 2023, the US Food and Drug Administration (FDA), issued a new guidance requiring medical device manufacturers provide cybersecurity information in their premarket device submissions, effective immediately. The FDA set forth an October 1 deadline, expecting that “sponsors of cyber devices will have had sufficient time to prepare premarket submissions that contain information required by section 524B of the FD&C Act, and after such date, the FDA may exercise its authority to refuse or accept premarket submissions that do not.”

FDA Guidelines Set for Medical Device Manufacturers

The requirements state that device manufacturers must:

  • Include a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.”
  • Develop and maintain procedures providing assurances that devices and systems are cybersecure and have plans in place to patch and update devices and related systems at the postmarket stage.
  • Provide a Software Bill of Materials (SBOM) for their devices; including commercial, open-source, and off-the-shelf software components.

To assist manufacturers in keeping up with the requirements, the FDA issued an accompanying FAQ document. The information provided on that page may be useful for sponsors in preparing their submissions.

Although the cybersecurity requirements will not apply to devices retroactively; if a device was previously authorized and further changes are made, this will warrant a premarket review and application of the law for the updated submission.

For medical device manufacturers and remote patient monitoring (RPM) solution providers, this could lead to delays in getting to market, changing processes, incurring additional costs, and loss of revenue.

Considerations for Compliance

Two considerations medical device manufacturers and solution providers should take into account, are to lean toward embedded cellular connectivity rather than Bluetooth connectivity, and to obtain secure access to a platform that allows for real-time monitoring of devices and data.

At Kajeet, we work with RPM device manufacturers and telehealth solution providers to mitigate risks that could make companies vulnerable to cybersecurity breaches.

Our private wireless connectivity is not only a safe way to safeguard breaches but provides levels of security and enhanced capabilities that are not available otherwise. Furthermore, our Sentinel® IoT and data management platform provides visibility into device activity and data usage, as well as providing alerts in real-time facilitating faster responses to threats.

A good way for manufacturers and solution providers to test concepts, solve technical issues, and future-proof prototypes is to request a FREE CELLULAR MODULE DEVELOPER KIT. This includes a 90-day SIM trial, live demo of the Sentinel platform, and access to engineers and architects from Kajeet labs.

Kajeet also offers expertise on design and module evaluation, testing alongside leading module manufacturers and cellular certification, and assistance in the procurement of compliant devices, programing, and cleansing.

Visit our connected health page for telehealth and RPM solution providers for more useful information.

Want to talk over your connected healthcare solution and where we might be able to help?

Talk to Us about Your Connected Health Solution

Other posts you might be interested in

View All Posts