Inside Look: FDA’s Cyber Review Process for Medical Devices – Source: www.govinfosecurity.com

Medical device makers in their premarket submissions to the Food and Drug Administration – under the agency’s new “refuse to accept” policy for cybersecurity – should pay especially close attention to details such as a product’s software bill of materials and vulnerability management plan, said Jessica Wilkerson, a FDA senior cybersecurity advisor.

SBOMs and vulnerability management issues have been among the top areas of difficulty for medical devices makers in premarket submissions as the agency prepares to enforce starting Oct. 1 its right to reject medical device submissions that lack details on cybersecurity

“Software bill of materials in many ways is still a maturing and evolving concept. And so we are one of the first federal agencies to be explicitly requiring software bill materials as part of our regulatory process,” she told Information Security Media Group.

The FDA can, as of October, automatically reject medical device premarket submissions that don’t include specific cybersecurity details required by the agency under an amendment Congress made to the Federal Food Drug and Cosmetics Act and signed into law last December by President Joe Biden (see: FDA Finalizes Guidance Just as New Device Cyber Regs Kick In).

In its review of premarket product submissions, the FDA will scrutinize whether a medical device is resilient to cyber threats, Wilkerson said.

“Does this medical device provide a reasonable assurance that the device and related systems are cybersecure? That’s not something that can be done in a checklist fashion. That’s something that has to be taken in total from the different characteristics of the device, including things like its threat model, its update capability, its software supply chain, and some of these other things.”

The FDA has been working with medical device manufacturers since March 29, when the refuse to accept policy for cybersecurity issues technically went into effect, to help makers better understand how to avoid rejection, Wilkerson said.

“The FDA has always had a very collaborative approach with the medical device manufacturer community. The reason that we’re so collaborative is we want to see advanced device capabilities get out into the market that will improve patient quality of life and patient care,” she said.

In the audio interview (see link below her photo, above), Wilkerson also discusses:

• How the FDA’s cybersecurity review process works;
• What device makers can expect next if a product submission is rejected by the FDA based on cybersecurity concerns;
• How medical device makers can best use the FDA’s newly released, 57-page final premarket medical device cybersecurity guidance to better understand the cyber details required by the agency;
• How the FDA’s enhanced authority over medical device cybersecurity will affect healthcare delivery organizations that use the products and their patients;
• FDA’s other previous and future activities around medical device cybersecurity, including legacy products.

Wilkerson is senior cyber policy advisor and medical device cybersecurity team lead with the All Hazards Readiness, Response, and Cybersecurity, or ARC team in the Center for Devices and Radiological Health within the FDA. As part of ARC, she examines issues and develops policy related to the safety and effectiveness of connected medical devices.