Raising the Regulatory Bar on Medical Device CybersecurityFDA's Dr. Suzanne Schwartz on Expanded Expectations, Upcoming Final Guidance
The Food and Drug Administration's recently enhanced authority over medical device cybersecurity - as granted by an omnibus funding bill signed into law last year - is "transformative" in raising the bar on what is expected from manufacturers in their product submissions to the agency, said Dr. Suzanne Schwartz of the FDA.
Beginning on Oct. 1, under its "refuse to accept" policy, the FDA will automatically reject medical device premarket submissions that don't include specific cybersecurity details required by the agency as spelled out under the new law, said Schwartz, who leads the FDA's medical device cybersecurity efforts (see: FDA Will Begin Rejecting Medical Devices Over Cyber Soon).
Until then, the FDA is working interactively with medical device manufacturers to help them better understand what's required to avoid the outright rejection of their products due to the lack of cybersecurity specificity, she said.
For now, medical device makers essentially have "an on-ramp" to compile all the information needed to ensure that their premarket submissions contain all the required elements that are called for in the cybersecurity provisions of the omnibus legislation, she said.
But after Oct 1, medical device makers "absolutely need to include all the elements" or face immediate product review rejection.
The FDA also aims to release final updated premarket medical device cybersecurity guidance, hopefully by Oct. 1, to help fortify the effort, Schwartz said. A draft version of that updated FDA guidance was issued in April 2022, and it recommends the cybersecurity steps medical devices makers should take in the premarket of their products, mapping closely with what's required under the omnibus legislation, according to Schwartz.
The final guidance will likely include "some tweaks" that take into consideration some of the public comments that the FDA received on the draft version.
"We are working very diligently in trying to get that finalized," she said.
In this video interview at the recent Information Security Media Group Healthcare Security Summit in New York City, Schwartz also discussed:
- Cybersecurity details medical device makers must include in their premarket submissions;
- Areas where some medical devices makers appear to be struggling, such as understanding the software bill of materials that needs to be included with product submissions;
- Other issues related to the FDA's enhanced authority over medical device cybersecurity.
Schwartz supports the FDA's medical device cybersecurity program, which includes raising awareness, educating and conducting outreach, partnering, and coalition building within the healthcare and public health sector, as well as fostering collaborations across other government agencies and the private sector. She also chairs CDRH's cybersecurity working group, which is tasked with formulating the FDA's medical device cybersecurity policy, and she has served as co-chair of the Government Coordinating Council for the healthcare and public health critical infrastructure sector.