A startup recently shared with us that they were considering incorporating remote software updates into their medical device. They knew this feature would add a lot of value, but were leaning against it for fear it would create barriers to FDA approval due to cybersecurity concerns. This is a natural concern, especially given the major changes around cybersecurity that have happened at FDA in the last year. We would argue, however, that remote software updates are no longer optional precisely because of FDA’s increased scrutiny on cybersecurity.
First, a quick history. FDA has recognized the importance of cybersecurity for more than a decade. In 2014 and 2016, they finalized guidance documents on cybersecurity information in pre-market submissions and post market management of cybersecurity. While FDA technically did not have statutory authority to require cybersecurity information, they understandably argued that cybersecurity is key to device safety, and therefore in their purview. Medical device manufacturers were expected to include a cybersecurity file with basic risk analyses, but the bar was not particularly high; especially for low risk devices.
Everything changed in 2023, however, when the Food and Drug Omnibus Reform Act (FDORA) codified new statutory authority for the FDA to require cybersecurity information and post-market monitoring for cybersecurity vulnerabilities. Section 524B of the Federal Food, Drug and Cosmetic (FD&C) Act now requires specific cybersecurity information for all “cyber devices” and detailed plans on how vulnerabilities will be handled post-market. Now you might be thinking, “yeah, but my device is not a cyber device.” Think again.
Here is how the FD&C Act defines a cyber device:
DEFINITION.—In this section, the term ‘cyber device’ means a device that—
(1) includes software validated, installed, or authorized by the sponsor as a device or in a device;
(2) has the ability to connect to the internet; and
(3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.
Now you might be thinking, “Cool, so long as my device doesn’t connect to the internet, it’s not a cyber device.” Not so fast. FDA probably heard this once or twice and decided to provide some additional clarification in their March 2024 draft guidance Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act. Here it their clarification verbatim:
FDA considers devices that include any of the following features to have the ability to connect to the internet. The list below is illustrative, not exhaustive:
- Wi-Fi or cellular;
- Network, server, or Cloud Service Provider connections;
- Bluetooth or Bluetooth Low Energy;
- Radiofrequency communications;
- Inductive communications; and
- Hardware connectors capable of connecting to the internet (e.g., USB, ethernet, serial port).
Did you pick up on that last line? FDA is saying, if you incorporate any means of wireless or wired communication in your device, it’s a cyber device!
So what does that have to do with remote software updates? Well, section 524(b)(1) of the FD&C Act requires plans that describe “the timeline, with associated justifications, to develop and release required updates and patches.” Again, verbatim from the guidance:
- Section 524B(b)(2)(A) of the FD&C Act requires manufacturers of cyber devices to make updates and patches for known unacceptable vulnerabilities available on a reasonably justified regular cycle.
- Section 524B(b)(2)(B) of the FD&C Act requires manufacturers of cyber devices to make available updates and patches to the device and related systems to address as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks.
Now you tell me: how are you going to “make updates and patches” to your cyber device without remote software updates? Will you execute a physical device recall? Is the plan to send a technician around with a thumb drive? Putting aside the cost and reputational damage to either of these approaches, it probably won’t fly with FDA anyway. Notice the language: “the FD&C Act requires manufacturers of cyber devices to make available updates and patches to the device and related systems to address as soon as possible out of cycle..”
The bottom line is that FDA just raised the cybersecurity bar substantially when it comes to medical devices that incorporate software and any conceivable means of external access. You’re not going to be able to get away with simple rationales of why your device is low risk or why it is not a cyber device. Chances are that (a) your device is a cyber device, (b) you need to make sure cyber security risks are managed, and (c) you need a means to update it remotely once fielded.
Now here is the good news: First, ensuring the cybersecurity of your device is not just a good idea because FDA is forcing you to; it’s the right thing to do and it’s the smart thing to do. Second, it’s not just a cybersecurity issue. You may find a software anomaly that impacts your device’s safety and be forced to issue a recall if you don’t have remote software update capabilities. Third, data is gold. Avoiding cloud connectivity out of cybersecurity fear robs you of the tremendous value that comes from generating and accessing all sorts of data that increase your enterprise value. And finally, implementing secure remote software updates (and cloud connectivity in general) is challenging, but it’s not rocket science. You just have to make sure it is truly secure. In our next blog, we’ll explain precisely how to do that.
Bold Type is here to help whether you need a secure software development partner or just a consultant to help ensure your system is secure and will meet FDA’s latest requirements. Reach out at [email protected] to set up a quick chat.