Explore the most recent editions of MPO Magazine, featuring expert commentary, industry trends, and breakthrough technologies.
Access the full digital version of MPO Magazine anytime, anywhere, with interactive content and enhanced features.
Join our community of medical device professionals. Subscribe to MPO Magazine for the latest news and updates delivered straight to your mailbox.
Explore the transformative impact of additive manufacturing on medical devices, including design flexibility and materials.
Learn about outsourcing options in the medical device sector, focusing on quality, compliance, and operational excellence.
Stay updated on the latest electronic components and technologies driving innovation in medical devices.
Discover precision machining and laser processing solutions that enhance the quality and performance of medical devices.
Explore the latest materials and their applications in medical devices, focusing on performance, biocompatibility, and regulatory compliance.
Learn about advanced molding techniques for producing high-quality, complex medical device components.
Stay informed on best practices for packaging and sterilization methods that ensure product safety and compliance.
Explore the latest trends in research and development, as well as design innovations that drive the medical device industry forward.
Discover the role of software and IT solutions in enhancing the design, functionality, and security of medical devices.
Learn about the essential testing methods and standards that ensure the safety and effectiveness of medical devices.
Stay updated on innovations in tubing and extrusion processes for medical applications, focusing on precision and reliability.
Stay ahead with real-time updates on critical news affecting the medical device industry.
Access unique content and insights not available in the print edition of the MPO Magazine.
Explore feature articles that delve into specific topics within the medical device industry, providing in-depth analysis and insights.
Gain perspective from industry experts through regular columns addressing key challenges and innovations in medical devices.
Read the editor’s thoughts on the current state of the medical device industry.
Discover the leading companies in the medical device sector, showcasing their innovations and contributions to the industry.
Explore detailed profiles of medical device contract manufacturing and service provider companies, highlighting their capabilities and offerings.
Learn about the capabilities of medical device contract manufacturing and service provider companies, showcasing their expertise and resources.
Watch informative videos featuring industry leaders discussing trends, technologies, and insights in medical devices.
Short, engaging videos providing quick insights and updates on key topics within the medical device industry.
Tune in to discussions with industry experts sharing their insights on trends, challenges, and innovations in the medical device sector.
Participate in informative webinars led by industry experts, covering various topics relevant to the medical device sector.
Stay informed on the latest press releases and announcements from leading companies in the medical device manufacturing industry.
Access comprehensive eBooks covering a range of topics on medical device manufacturing, design, and innovation.
Highlighting the innovators and entrepreneurs who are shaping the future of medical technology.
Explore sponsored articles and insights from leading companies in the medical device manufacturing sector.
Read in-depth whitepapers that explore key issues, trends, and research findings for the medical device industry.
Discover major industry events, trade shows, and conferences focused on medical devices and technology.
Get real-time updates and insights from major medical device shows and exhibitions happening around the world.
Join discussions and networking opportunities at the MPO Medtech Forum, focusing on the latest trends and challenges in the industry.
Attend the MPO Summit for insights and strategies from industry leaders shaping the future of medical devices.
Participate in the ODT Forum, focusing on orthopedic device trends and innovations.
Discover advertising opportunities with MPO to reach a targeted audience of medical device professionals.
Review our editorial guidelines for submissions and contributions to MPO.
Read about our commitment to protecting your privacy and personal information.
Familiarize yourself with the terms and conditions governing the use of MPOmag.com.
What are you searching for?
Metaphoric archers may also be challenged to extend their skills when it comes to predicate comparisons for cyber devices.
July 24, 2024
By: Hannah Taggart
Engineer and Regulatory Specialist, Empirical Technologies, an ATS Company
By: Meredith P. Vanderbilt, JD, RAC, CQA, MSE, BSE
Director of Consulting, Empirical
Have you ever experienced the frustration of trying to hit a bullseye on a moving target? In the medical device industry, cybersecurity is one of the fastest-moving targets. Medical device companies are now faced with the challenge of becoming archers as skilled as Katniss Everdeen to adjust their aim to the cybersecurity target in motion. As we discussed in “Process and Design Looping: Medtech’s Total Product Lifecycle,” all products should travel a circle of collecting feedback, improving the product, and verifying the modifications, but that product lifecycle is much faster for cybersecurity. Hackers and evildoers are working day and night to find and exploit the vulnerabilities of these devices.
A 2022 report from the FBI cited research that found 53% of digital and connected hospital devices had known vulnerabilities. It is likely that when these devices were first commercialized they were not vulnerable, but they have not been updated to deflect more recent and innovative threats. In 2020, a ransomware attack on a German hospital forced an ambulance to be turned away to another hospital 32 kilometers away and a woman died as a result of the delay of treatment: “The attack compromised the digital infrastructure that the hospital relies on to coordinate doctors, beds, and treatment, forcing the cancellation of hundreds of operations and other procedures. It also limited the hospital’s capacity drastically: whereas it normally treats more than 1,000 patients each day, it could attend to no more than half this during and after the attack.”
Another ransomware attack occurred in the last month on the nationwide Ascension hospital network and the clinical staff had to suddenly shift to a paper-based system. This slowed the internal processes for medications, diagnoses, and treatment. The industry as well as the FDA recognizes the importance of preventing a digital attack on our medical system, which is why the FDA released an updated final guidance, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” on Sept. 27, 2023.
This guidance, among other things, provided directions on what to include for cybersecurity testing for premarket approval submissions. However, this final guidance left the defining boundaries of the target blurry for many. In the few short months since the release of this final guidance, FDA has heard cries from the industry for more clarification from the agency for what is considered the center of the target one must hit to comply with Section 524B of the FD&C Act. FDA recently released a draft of select updates for the cybersecurity guidance that are in the works to provide additional information on cybersecurity and hosted a webinar to provide more insight into the updates.
As technology continues to advance, even something as simple as the definition of a cyber device is evolving. In FDA’s select updates draft guidance, one of the major definitions is clarified: the “ability to connect to the internet” may be intentional or unintentional, both of which deem the device as a “cyber device.” This means devices not intended to be connected to the internet, but have the ability to be, will be considered a cyber device and required to provide all relevant documentation. The full definition of a cyber device is one that “(1) includes software validated, installed, or authorized by the sponsor as a device or in a device; (2) has the ability to connect to the internet; and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.” Additionally, the FDA provided examples of devices that have the ability, even unintentionally, to connect to the internet:
These proposed definitions might be shocking to some who have digital health devices not intended to connect to the internet but might have the hardware or firmware to connect to the intranet or other digital health devices. Although legacy devices are currently marketed based on previous clearances, updates to hardware, firmware, and software might be needed to meet the new definitions and expectations. This means that internal procedures and processes should be updated to reflect these new expectations.
Another area of concern from the final guidance surrounded Section 524B(b)(1) of the FD&C Act, which “requires manufacturers of cyber devices to submit to FDA ‘a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures’ in their premarket submissions.” The challenge for device manufacturers is that these vulnerabilities are changing continuously; just when one is identified, another is exposed. Industry demanded more clarification from FDA on the expectations of such a plan. This clarification is addressed in the draft guidance with clarification on what to include for coordinated vulnerability disclosure:
Cyberattacks are evolving and expose new vulnerabilities every day. Medical device companies are responsible for responding to this changing landscape as they make plans to include updates as new threats, assets, or vulnerabilities are identified on both marketed devices and devices no longer marketed, but still in use. Such a situation may have companies cross-eyed as they aim to hit one target by addressing vulnerabilities in a software update, while also needing to hit a second target by addressing existing vulnerabilities in the old software version before the update is completed. Because of this requirement, all digital health manufacturers must have an effective process in place to identify and mitigate all newly identified threats and vulnerabilities in a “reasonable time.” The question for the FDA and the industry to answer together is what a “reasonable time” is. This is part of the moving target archers are seeking to hit.
Manufacturers of cyber devices must “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure…” (section 524B(b)(2) of the FD&C Act). FDA states in the draft guidance that “reasonable assurance of cybersecurity can be part of FDA’s determination of a device’s safety and effectiveness,” but what does “reasonable assurance” really mean? This is a second question for the FDA and the industry to answer.
Metaphoric archers may also be challenged to extend their skills when it comes to predicate comparisons for cyber devices. The draft guidance gives an example of a situation where the subject device is identified to have an increased risk, due to a newly identified cybersecurity vulnerability, compared to a predicate resulting in a not substantially equivalent decision. Medical device companies and regulators will be further challenged to evaluate risks associated with cybersecurity when considering predicate devices.
The draft guidance draws more defined boundaries around the topic of changes to cyber devices. It provides examples of changes that may impact cybersecurity requiring additional documentation versus examples of changes that wouldn’t impact cybersecurity. This clarification aims to help determine what situations lead to additional submission requirements.
In order to keep up with the world of cybersecurity, the medical device industry must adapt and overcome new challenges to ensure the safety of their devices. Navigating through these changes is akin to an archer hitting a moving target; it requires constant adjustment. The FDA and industry are working together to define the boundaries of this moving target. The draft guidance document aims to provide more clarification on the FDA’s current positions on cyber devices to assist the industry in hitting the bullseye. It is more critical than ever that manufacturers have sufficient processes in place for design development, testing (including cybersecurity), feedback, and security updates for all digital health devices.
Hannah Taggart is a forward-thinking biomedical engineer and regulatory associate with Empirical Technologies who is helping to navigate clients through the complex regulatory landscape to provide innovative and compliant medical devices for their patients.
Meredith P. Vanderbilt is an internationally known medical device regulatory affairs consultant unafraid to communicate directly and honestly with regulatory bodies and clients about strategies and submissions to provide compliant and high-quality devices to the market.
Enter the destination URL
Or link to existing content
Enter your account email.
A verification code was sent to your email, Enter the 6-digit code sent to your mail.
Didn't get the code? Check your spam folder or resend code
Set a new password for signing in and accessing your data.
Your Password has been Updated !
