Endpoint Security , Healthcare , Industry Specific

How FDA's New Policy Aims to Improve Medical Device Security

Dr. Suzanne Schwartz on What Device Manufacturers Need to Know to Win FDA Approval
Dr. Suzanne Schwartz, director of the Office of Strategic Partnerships and Technology Innovation, FDA Center for Devices and Radiological Health

A new Food and Drug Administration policy to "refuse to accept" premarket submissions for new medical devices if they lack of cybersecurity details will help substantially improve the state of legacy devices in the future, said the FDA's Dr. Suzanne Schwartz.

See Also: What Makes Healthcare a Prime Target for Ransomware?

"Ultimately, we want to be able to get rid of that long, long tail of legacy devices that are presently in use," said Schwartz, director of the office of strategic partnerships and technology innovation in the FDA's Center for Devices and Radiological Health.

Beginning Oct. 1, the agency will reject premarket submissions that don't detail a medical device's cybersecurity measures, including a plan to address postmarket vulnerabilities, a method for coordinated disclosures of exploits, and a software bill of materials (see: FDA Will Begin Rejecting Medical Devices Over Cyber Soon).

In the meantime, between now and Oct. 1, the FDA also expects such cybersecurity details to be included in new device submissions, but the agency will work collaboratively with manufacturers to address security deficiencies in the documentation that the device makers provide to the FDA, Schwartz told Information Security Media Group.

The FDA was granted the expanded authority over medical device cybersecurity by Congress as part of the Omnibus funding bill signed into law in December by President Joe Biden (see: Exclusive: FDA Leader on Impact of New Medical Device Law).

The FDA's "refuse to accept" policy has existed for years, but it didn't apply to the cybersecurity of medical devices. "On Oct. 1, what will go into effect is a kind of stage gating or screening for acceptance criteria of the submission," she said. "Does it have all the appropriate administrative elements that are necessary for a reviewer to begin a substantive review? If there are any elements that are missing, then that submission is going to be immediately rejected or bounced back."

"You're always going to have legacy devices out there, but those legacy devices should be able to be maintained in a cybersecure, safe and effective manner," she said. Current legacy devices pose a huge challenge for healthcare delivery organizations in that they are not patchable or updatable and present a huge exposure and attack surface for healthcare institutions, she says.

Once the FDA's new policy takes root, as new products enter the market and ultimately become legacy devices, "vulnerabilities, as they're identified, can be patched, and devices can be updated without affecting their performance."

In this video interview with Information Security Media Group, Schwartz also discusses:

  • Why most products the FDA reviews will be considered a "cyber device" under the new regulations;
  • Details of the documentation the FDA is now expecting as part of premarket device submissions and how those cybersecurity reviews are being performed;
  • What's next in the FDA's plans involving medical device cybersecurity.

Schwartz supports the FDA's medical device cybersecurity program, which includes raising awareness, educating and conducting outreach, partnering, and coalition building within the healthcare and public health sector, as well as fostering collaborations across other government agencies and the private sector. She also chairs CDRH's cybersecurity working group, which is tasked with formulating the FDA's medical device cybersecurity policy, and she has served as co-chair of the Government Coordinating Council for the healthcare and public health critical infrastructure sector.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.