FDA Sets Cybersecurity Requirements for IoT Medical Devices

Many modern medical devices, from pacemakers to insulin pumps, contain software and transmit information to healthcare facilities, end users’ smartphones and other medical devices through the Internet of Things (IoT). IoT connectivity offers exciting benefits, including:

• Advancing healthcare providers’ ability to diagnose, treat, monitor and collect and analyze data.
• Improving device manufacturers’ ability to monitor, maintain and repair software issues remotely.
• Enhancing user experience, software upgrades and troubleshooting.

However, any device that contains software and connects to a network or another device carries the risk of vulnerabilities to cyberattacks. Medical device vulnerabilities originating in device design and software management may negatively impact healthcare facility operations, patient health and safety, and data confidentiality and integrity. 

Omnibus Appropriations Bill

Despite the growing concern about vulnerabilities and reports of cyberattacks, the U.S. lacked legislation requiring a baseline level of cybersecurity for medical devices. This changed on Dec. 29, 2022, when Congress signed into law the Omnibus Appropriations Bill, which authorized the Food and Drug Administration (FDA) to establish requirements for the cybersecurity of connected medical devices. Section 3305 of the Omnibus Appropriations Bill, "Ensuring Cybersecurity of Medical Devices," amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) to add section 524B, “Ensuring Cybersecurity of Devices.”

Section 524B(a) of the FD&C Act states that a medical device manufacturer submitting a device for premarket FDA approval must include information that demonstrates that the device meets the cybersecurity requirements in section 524B(b) of the FD&C Act. These requirements are:

• “Submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
• Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems; and
• Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components"

Omnibus Appropriation Bill’s impacts on medical devices

Although the bipartisan Protecting and Transforming Cyber Healthcare (PATCH) Act, introduced in April 2022, previously gave medical device cybersecurity guidelines to medical device manufacturers, the lack of binding requirements had significant negative impacts on the healthcare sector, including the following:

Regulatory uncertainty

Prior to the Omnibus Appropriations Bill, the FDA acted at its own discretion to apply regulatory science amidst the rapidly changing cybersecurity landscape. Because this was so, manufacturers submitting their medical devices for premarket regulatory approval were often met with surprises because different evaluators interpreted the definitions of cyber devices and cybersecurity in different ways. The Omnibus Appropriations Bill establishes an unambiguous framework for premarket evaluations; the FDA Office of Product Evaluation and Quality (OPEQ) will perform an evaluation to these requirements, resulting in clear and consistent expectations and a more efficient evaluation process.

Lack of transparency and traceability

Because medical devices contain many software components, manufacturers were often unable to effectively trace the source of the problem and fix the issue when vulnerabilities were found and recalls were announced. The Omnibus Appropriations Bill requires medical device manufacturers to catalog the commercial, open-source and off-the-shelf software components within a medical device in a software bill of materials, which will help improve accountability along the supply chain and streamline manufacturers’ efforts to identify, trace and remediate vulnerabilities.

Diminished trust in data transmitted via connected medical devices

As the world’s population grows, it far exceeds the number of patients that healthcare practitioners can consult with in person during health crises like the COVID-19 pandemic. Although the need for urgent response to COVID-19 accelerated the adoption of telemedicine and its acceptance by insurance companies, questions and concerns arose regarding the accuracy and integrity of patient data transmitted via smartphone during telemedicine appointments: Is the patient who they claim to be and appear to be onscreen? Can the video faithfully show nuances — such as gray or cyanotic coloring when an illness like COVID-19 is present and may impact the patient’s respiratory system?

In a September 2022 report, the U.S. Federal Bureau of Investigation (FBI) identified a growing incidence of vulnerabilities in medical devices running on outdated software and lacking sufficient security features. According to the report, susceptible devices include insulin pumps, defibrillators, mobile cardiac monitoring devices, pacemakers and surgically implanted pain pumps. Compromised devices can give inaccurate readings, cause drug overdoses or jeopardize patients’ health and safety in other ways.

Technology now enables people to acquire data on themselves constantly through connected medical devices. If the integrity and confidentiality of that data can’t be trusted by the institution of medicine, then it isn’t useful in improving individuals’ health.

The requirements established in the Omnibus Appropriations Bill help ensure the integrity of the data to improve medical devices’ utility in diagnosing, treating and monitoring medical concerns.

Stalled software-intensive breakthroughs in medicine

Medical device interoperability, artificial intelligence (AI), machine learning (ML) and quantum computing can greatly advance the medical sector’s capability to diagnose, monitor and treat medical conditions; personalize medicine; tackle drug discovery challenges and optimize healthcare pricing. However, all of these developments rely on cybersecurity and data integrity to help protect patient safety and confidentiality. The Omnibus Appropriations Bill establishes critical cybersecurity requirements for processes and products so the medical sector can move beyond cybersecurity fundamentals to gain ground in these more advanced applications.

Preparing for new cybersecurity requirements

The cybersecurity requirements provided in the FD&C Act, section 524B(b), go into full effect on Oct. 1, 2023. The FDA provides recommendations for managing cybersecurity in the 2014 guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”  and the 2016 guidance, “Postmarket Management of Cybersecurity in Medical Devices.” The FDA also recognizes ANSI/UL 2900-1:2017, the Standard for Software Cybersecurity for Network-Connectable Products, and IEC 81001-5-1: 2021 as consensus standards to help support device manufacturers’ preparation of cybersecurity documentation for regulatory submissions.

The UL 2900 Series of Standards (UL 2900-1:2017, the Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, 1st Edition, and Part 2: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems, 1st Edition), was developed with input from major stakeholders representing government, academia and industry.

In 2020, the International Medical Devices Regulators Forum (IMDRF) published medical device cybersecurity best practices guidance recommending that network-connected medical device manufacturers comply with UL 2900. Not only does the U.S. FDA refer to UL 2900 in its recommended resources for medical device manufacturers seeking compliance with medical device cybersecurity regulatory requirements, but this series of standards is also referred to in international cybersecurity guidance, as well (including Australia, Canada, China, France and Singapore).

UL Cybersecurity Assurance Program

With the UL Cybersecurity Assurance Program (UL CAP), UL Solutions assesses software vulnerabilities and weaknesses in embedded products and systems using standardized, testable criteria. Based on the UL 2900 Series of Standards, UL CAP helps organizations manage their cybersecurity risks and validate their cybersecurity capabilities to the marketplace. 

We leverage our long-standing expertise in safety science, standards development, testing and certification to offer:

• Advisory – Our customized programs offer educational support to help companies navigate cybersecurity best practices and standards, assess cybersecurity objectives and processes, qualify risk, and expand their internal knowledge base to address cybersecurity in product development.
• Testing – Penetration testing involves structured security assessments for discovering and exploiting software vulnerabilities with extensive hacking techniques, including embedded systems analysis and firmware evaluation.
• Certification – Certification to the UL 2900 Series of Standards is the highest recognition of cybersecurity due diligence and helps demonstrate that a product or system is compliant with modern standards.