Cyberattacks affecting internet-connected medical devices like insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers and intrathecal pain pumps have increased in recent years. And such attacks show no sign of slowing, as the number and type of medical device products that are connected to the cloud increase (thereby increasing the attack surface for hackers), and as hackers become more sophisticated. Indeed, in a September 2022 FBI Private Industry Notification, the FBI noted that around 53% of connected medical devices and other internet of things (IoT) devices in hospitals had known critical vulnerabilities. These vulnerabilities could allow hackers to direct medical devices to give inaccurate readings, administer drug overdoses, or otherwise endanger patient health.
In the past, the U.S. Food & Drug Administration (FDA) has urged manufacturers to take measures to ensure the cybersecurity of their products through non-binding guidance. On December 29, 2022, President Biden signed into law the $1.7 trillion Omnibus Appropriations Act, which provided the FDA with authority to require manufacturers to take cybersecurity protection measures as to medical devices that are brought to market through future pre-market submissions. See H.R. 2617 (117th Congress, 2021-2022), text available here.
Section 3305 of the Omnibus Appropriations Act amends the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 351 et seq.) to include cybersecurity requirements for “cyber devices,” which are defined to be devices that:
- “include software validated, installed, or authorized by the sponsor [of an application or submission under sections 510(k), 513, 515(c), 515(f), or 520(m)];”
- “[have] the ability to connect to the internet;” and
- “contain any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.”
This definition includes a broad range of devices, from internet-connected devices in hospitals like smart beds, to pain pumps and insulin pumps, and to wearable technology like smart watches.
Specifically, under the Act, manufacturers of “cyber devices” must include in premarket submissions “such information as the [FDA] Secretary may require to ensure that such cyber device meets” certain cybersecurity requirements. This includes the following:
- A plan to monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.
- Processes and procedures “to provide a reasonable assurance that the device and related systems are cybersecure, and make available post-market updates and patches to the device and related systems to address” vulnerabilities and risks, both on regular cycles and out of cycle.
- A software bill of materials, including commercial, open-source, and off-the-shelf software components.
The Act explicitly grants the FDA authority to enact “other requirements . . . to demonstrate reasonable assurance” that such devices are secure.
The Act also tasks the FDA and other government entities with publishing and providing certain guidance relating to cybersecurity, including:
- Guidance on the content of premarket submissions for management of cybersecurity in medical devices (to be prepared after “soliciting and receiving feedback from device manufacturers, health care providers, third-party-device servicers, patient advocates, and other appropriate stakeholders.”).
- Public resources with information on improving cybersecurity of devices (such as identifying and addressing cyber vulnerabilities for health care providers, health systems, and device manufacturers, and how such entities may access support through government entities).
- Issuance of a report by the Comptroller General of the United States that examines: challenges for stakeholders in accessing federal support to address vulnerabilities across federal agencies; how federal agencies can strengthen coordination to better support device cybersecurity; and, statutory limitations and opportunities for improving device cybersecurity.
Dr. Suzanne Schwartz, the Director of the Office of Strategic Partnerships and Technology Innovation at the FDA’s Center for Devices and Radiological Health, has said that this “explicit authority” constitutes a “massive shift” for the FDA, and that it would be doing “a legal analysis of the statute . . . in terms of what its implications are to help further inform how [the FDA] go[es] forward.”
How will the FDA’s newfound formal authority be implemented and aligned with prior guidance that the FDA has drafted? And what does this formal authority mean for the litigation landscape around internet-connected medical devices? For internet-connected medical devices currently on the market? Stay tuned for Parts 2 and 3 of this series, as we continue to monitor updates from the FDA on its regulation of internet-connected medical devices.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.