New FDA requirements regarding cybersecurity for medical devices went into full effect on October 1, 2023. One year later, what has changed?

History of PATCH Act and Premarket Guidance

On March 29, 2023, the PATCH Act amendment to the Food, Drug & Cosmetic Act (FD&C) came into effect, marking a significant shift in the regulatory landscape for medical device manufacturers (MDMs). The following day, the FDA released new final guidance, “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act,” updating its Refuse to Accept (RTA) policy to include the absence of cybersecurity documentation as a factor in rejecting submissions for new or modified medical devices. FDA also indicated that they would give an approximately 6 month grace period to MDMs to achieve the change required under PATCH. On September 27, 2023, FDA issued their final guidance entitled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” This document details recommendations that clarify and extend the statutory requirements spelled out in the PATCH Act, and it discusses recommendations for securing medical devices that are not “cyber devices” as defined in PATCH.

The PATCH Act amendment was aimed at addressing the growing cybersecurity risks associated with connected medical devices. Some key objectives for MDMs under the PATCH Act include requirements to:

• Develop and submit a plan to monitor, identify and address postmarket cybersecurity vulnerabilities and exploits, demonstrating a plan for vulnerability disclosure and communication to users where needed
• Strengthen cybersecurity design and design processes for medical devices providing a reasonable assurance that the device and related systems are cyber-secure and making available postmarket updates and patches
• Submit a comprehensive Software Bill of Materials (SBOM) to FDA

The new requirements went into full effect on October 1, 2023 to give medical device manufacturers time to implement and document their processes and design changes. Now, one year later, we assess the impact of these changes on the medical device industry and explore what’s still needed to ensure robust cybersecurity for medical devices. With the full implementation of PATCH, FDA retracted their guidance for RTA, as the full implementation of PATCH made clear what elements are required.

Concurrently on October 1, 2023, the FDA eSTAR program became fully effective, following the issuance of final guidance relating to “Electronic Submission Template for Medical Device 510(k) Submissions” which updated the previous version from September 2022. The updated eSTAR templates included some cybersecurity information starting in October, but the most recent versions of the non-IVD and IVD eSTAR templates, version 5, include comprehensive requests for information in accordance with Section 524B of the Act and with the guidance. MDMs will not be able to submit eSTAR if they do not have basic information for cybersecurity documented in the template or through attachments.

*Note that FDA has issued final guidance on using Electronic Submission Template (eSTAR) for submitting De Novo requests and per the final guidance, starting October 1, 2025, all de novo submissions will be required to use eSTAR. The program is optional for PMA submissions and PMA supplements.

What impact has the PATCH Act had in the last year?

FDA’s review of cybersecurity in premarket submissions has become much more consistent and rigorous

FDA’s review staff have clearly received training on how to review the content of premarket submissions, and have the tools necessary to achieve consistent reviews utilizing four-part harmony [see note]. FDA has been issuing deficiencies in a large number of submissions (there are no official statistics provided by CDRH on the proportion of 510(k)s or PMAs receiving cybersecurity deficiencies, but this would be useful information for industry). FDA has publicly stated that for deficiency letters that did include cybersecurity deficiencies, they are issuing, on average, fifteen (15!) such deficiencies. This is a major change from the past where reviewers had to tie cybersecurity findings to quality system and risk management concerns and manufacturers had much more leverage to push back against the requests for information.

Note: Four part harmony requires the FDA reviewer to 1) restate what was provided in the original submission, 2) to describe what is missing given what was provided, 3) to explain why additional information is needed (citing standards or guidance as appropriate) and 4) to succinctly tell the applicant what information FDA needs in order to complete their review.

In general, FDA is issuing requests for additional information needed (AINN requests) on the first FDA review cycle for 63–68% of 510(k)s submitted (FY2018 to FY2022); this was before the cybersecurity guidance was finalized, and before 524B. It appears that the rates have gone up slightly (to 70%) since FY2023 started. It would be helpful if CDRH could perform an audit of cybersecurity deficiencies, both for four part harmony and for an overall sense of how many they’re issuing, what types they are issuing most commonly, etc., so that MDMs and consultants can improve how industry is functioning in this space and identify efficiencies.

In our work with a range of medical device manufacturers, we have seen a 700% increase in AINN/MAJR deficiency letters due to cybersecurity since October 1, 2023.

FDA expects continued improvement of software development lifecycle

FDA is expecting manufacturers to improve their cybersecurity designs, their cybersecurity processes, and continuously improve their software development lifecycle based on best practices (also referred to as state of the art [see note]) in software development and cybersecurity. FDA also expects that MDMs learn from postmarket signals and feed that learning back into their software development lifecycle processes.

Note: FDA has expectations that a device is designed in accordance with the then prevailing state of the art; if a device manufacturer is found to not have designed and manufactured a product in accordance with the prevailing state of the art, FDA can order repair, replacement or refund under Section 518(b) of the Act.

For example, if in analyzing the vulnerabilities associated with one’s software bill of materials (SBOM) one identifies numerous common vulnerabilities and exposures (CVEs), one should investigate the most frequently appearing common weakness enumerations (CWEs) associated with the CVEs identified for that SBOM. If there are CWEs that keep appearing, and particularly, ones associated with active exploits, it is a good idea to feed that information back to the software development team so that their software coding standards can be updated to reflect methods to avoid those CWEs.

FDA has proposed updates to the final premarket cybersecurity guidance (Sept. 2023) with their issuance of “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act (Draft, March 2024)” and a final update is expected after FDA has had the opportunity to review and include public comment. It is unlikely that there will be additional major changes to the proposed draft guidance, but some of the proposed updates may not persist. Further, FDA may be considering future revisions to their postmarket guidance to align it with the legal framework provided by the FD&C Act, but the postmarket guidance did not make it on to the A or B-lists of proposed guidance documents for FY 2024.

FDA has issued more sophisticated deficiencies

We’re seeing significantly more sophisticated deficiencies from FDA, including “stock deficiencies” that are commonly issued and “bespoke deficiencies” where FDA focuses on (sometimes deeply) technical elements of cybersecurity (use of obsolete cryptographic algorithms).

Regarding threat models:

• We have noted that the FDA has issued deficiencies regarding inadequate threat models.
• We see threat modeling deficiencies in a majority of deficiency letters issued with cybersecurity elements.
• At times, after working with clients, we note that the staff performing threat modeling is not adequately trained or skilled for that purpose.

Conclusion

We predict FDA will eventually enforce cybersecurity requirements as postmarket enforcement since premarket expectations are covered by 524B, eSTAR and other premarket submission review tools. FDA has stated specifically that enforcement in the postmarket takes longer to have an impact, and that their early focus would be on ensuring that cybersecurity design and relevant processes are detailed in premarket submissions. They have also stated publicly that this focus would shift as their efforts ramped up.

In light of that, what will eventual postmarket enforcement look like? We would suggest that FDA has clear enough statutory and regulatory authority at this point to issue inspectional guidance related to cybersecurity. In FDA’s webpage discussing inspections, there are five (5) elements related to medical devices at present:

1. Quality Systems (see 820, eventual Quality Management System Regulation (QMSR))
2. EMC Aspects of Medical Device QMS
3. Bioresearch Monitoring Inspections (IVDs)
4. Mammography Quality Standards Act
5. Medical Device Manufacturers (link is dead, this may be a mistake on FDA’s web page).

Given the precedent set by the above elements, we expect to eventually see a new element for cybersecurity. MDMs should be preparing for the eventuality that your QMS will be inspected for cybersecurity processes and procedures, and you should be ensuring that cybersecurity is thoroughly integrated where appropriate into the QMS. Some questions to consider include:

• Does your QMS support managing postmarket cybersecurity risks? (For example, have you considered how your complaint handling processes would work if the complaint appears to have a cybersecurity linkage?)
• What standards are you leveraging to ensure that you have something like a secure product development framework?

If you are in quality assurance or regulatory affairs, you need to start looking at how you’re managing these elements and documenting them.

Medcrypt offers pre-reviews of premarket submissions before you submit to FDA through our FDA Cybersecurity Readiness Assessment. If you have already received a deficiency letter, Medcrypt can support you through your deficiency response. We’re happy to be your FDA cybersecurity partner to ensure that your filings are clear and complete. Start by taking our complimentary FDA Cybersecurity Filing Readiness Survey.