Starting Oct.1, significant changes are going into effect for medical device manufacturers—and medical device cybersecurity experts have mixed opinions on whether device makers are ready for the change.
The FDA's "Refuse to Accept" policy relates to the FDA's review of medical devices and their premarket submission notification, known as the 510(k) submission process (named after the submission form). Under the new Refuse to Accept policy, the FDA will automatically begin rejecting premarket medical device submissions if they fail to meet the FDA's expected description of device security measures, including security controls, handling vulnerability disclosure with security researchers, and a software bill of materials (SBOM).
The new FDA regulatory powers behind the policy came from legislation signed into law in December that gave the FDA more substantial authority over what the agency can require from device makers as they work to get regulatory approval to bring their devices to market.
Christopher Gates, director of product security at therapeutic and diagnostic active medical devices maker Velentium, and author of the book “Medical Device Cybersecurity for Engineers and Manufacturers,” believes the impact of the new policy enforcement will go "badly" for medical device makers.
"I have been performing an ad-hoc survey of manufacturers during my presentations at conference shows, and so far, out of hundreds of manufacturers, none were aware of the changes to 510(k)s with regard to cybersecurity. Since enforcement started on March 29 of this year, we are already knee-deep in the FDA enforcing this new law. This will result in manufacturers being delayed, and in some cases massively delayed, as they try to regroup from the FDA's questions about cybersecurity," Gates said.
Others, including Bill Pelletier, an embedded systems security architect at a medical device and software maker based in the northeast U.S., say device makers should already be quite prepared for the updated policy. "It should be no surprise to any MDM when/if their submissions are summarily returned for rework due to lack of compliance to section 524B of the FD&C Act (Omnibus Appropriations)," he says.
Pelletier and others say the new policy is simply transferring what traditionally has occurred between the FDA and the MDM post-submission back to the MDM for pre-submission completion. "It (hopefully) removes the inefficiencies of that back-and-forth negotiation and rework that occurred when MDMs submitted less-than complete (or accurate) submissions for cyber devices," Pelletier says.
Whether medical device makers are ready, most healthcare delivery organizations care about how this may make their lives easier when securing their connected medical devices. Gates contends the RTA policy will help the industry over time.
"It will, although it may not feel that way for most. As manufacturers have made a pointed effort to ignore FDA cybersecurity requests, now that they are requirements, it will be quite a shock for some. However, for others who have not been ignoring cybersecurity, this could be an opportunity to gain market share and entrench positions in the market," he says.
In the longer term, Gates believes the increased security will help healthcare delivery organizations to secure and manage these devices better. "VERY long term, as more secure medical devices enter the field, the percentage of vulnerable devices will go down, thus improving the overall security posture of the HDOs. But this process will take years, maybe decades," he says.
For [medical device manufacturers] who have not been ignoring cybersecurity, this could be an opportunity to gain market share and entrench positions in the market.
—CHRISTOPHER GATES
Pelletier believes the impact of the new rules, including the "secure by design" and SBOM requirements will have a positive impact and help the manufacturing processes to become "more complete" which will result in better (and by extension – safer) devices. However – I do see a very long tail to this process."
Pelletier draws security parallels in traditional IT. "Three come to mind, most notably: Sarbanes Oxley, which helped clean up financial record keeping and system integrity; Graham Leach Bliley – the granddaddy of data privacy laws (along with CA SB1384 and MA 201 CMR 17), and of course – the PCI-DSS, ostensibly to protect our credit card system and data.
“These helped improve things but did not solve the problems, as evidenced by the continuing march of data breach events. No matter how compliant a system is, there will always be gaps for exploitation," he says.
"I see the same happening with the Omnibus. It is a great start, but it is not a solution. We will still have devices compromised, we will still have data breaches, and we will still have continuous work to do. This is on top of the fact that, unlike traditional IT systems, which have a three or five-year depreciation lifespan, medical device lifetimes can be measured in decades. So – no matter what happens in October, we will be dealing with a tremendous number of legacy devices for many years to come," he says.
Gates sees it differently. "For the most part, medical device manufacturers have ignored cybersecurity for the past 10 years; now that it is mandatory and they will have to face it, they have not prepared, which has resulted in development teams that are largely ignorant of all aspects of cybersecurity, from technical to the regulatory requirements," says Gates.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.