How FDA's New Policy Aims to Improve Medical Device SecurityDr. Suzanne Schwartz on What Device Manufacturers Need to Know to Win FDA Approval
A new Food and Drug Administration policy to "refuse to accept" premarket submissions for new medical devices if they lack of cybersecurity details will help substantially improve the state of legacy devices in the future, said the FDA's Dr. Suzanne Schwartz.
"Ultimately, we want to be able to get rid of that long, long tail of legacy devices that are presently in use," said Schwartz, director of the office of strategic partnerships and technology innovation in the FDA's Center for Devices and Radiological Health.
Beginning Oct. 1, the agency will reject premarket submissions that don't detail a medical device's cybersecurity measures, including a plan to address postmarket vulnerabilities, a method for coordinated disclosures of exploits, and a software bill of materials (see: FDA Will Begin Rejecting Medical Devices Over Cyber Soon).
In the meantime, between now and Oct. 1, the FDA also expects such cybersecurity details to be included in new device submissions, but the agency will work collaboratively with manufacturers to address security deficiencies in the documentation that the device makers provide to the FDA, Schwartz told Information Security Media Group.
The FDA was granted the expanded authority over medical device cybersecurity by Congress as part of the Omnibus funding bill signed into law in December by President Joe Biden (see: Exclusive: FDA Leader on Impact of New Medical Device Law).
The FDA's "refuse to accept" policy has existed for years, but it didn't apply to the cybersecurity of medical devices. "On Oct. 1, what will go into effect is a kind of stage gating or screening for acceptance criteria of the submission," she said. "Does it have all the appropriate administrative elements that are necessary for a reviewer to begin a substantive review? If there are any elements that are missing, then that submission is going to be immediately rejected or bounced back."
"You're always going to have legacy devices out there, but those legacy devices should be able to be maintained in a cybersecure, safe and effective manner," she said. Current legacy devices pose a huge challenge for healthcare delivery organizations in that they are not patchable or updatable and present a huge exposure and attack surface for healthcare institutions, she says.
Once the FDA's new policy takes root, as new products enter the market and ultimately become legacy devices, "vulnerabilities, as they're identified, can be patched, and devices can be updated without affecting their performance."
In this video interview with Information Security Media Group, Schwartz also discusses:
- Why most products the FDA reviews will be considered a "cyber device" under the new regulations;
- Details of the documentation the FDA is now expecting as part of premarket device submissions and how those cybersecurity reviews are being performed;
- What's next in the FDA's plans involving medical device cybersecurity.
Schwartz supports the FDA's medical device cybersecurity program, which includes raising awareness, educating and conducting outreach, partnering, and coalition building within the healthcare and public health sector, as well as fostering collaborations across other government agencies and the private sector. She also chairs CDRH's cybersecurity working group, which is tasked with formulating the FDA's medical device cybersecurity policy, and she has served as co-chair of the Government Coordinating Council for the healthcare and public health critical infrastructure sector.