FDA’s “New” Cybersecurity Requirements Are a Relief
In January 2023, Congress granted FDA new regulatory authority to require manufacturers to address cybersecurity in medical devices. Starting October 1, 2023, FDA will refuse to accept submissions if the device isn’t reasonably secure at birth and securable throughout its life.
This isn’t news for most manufacturers - it’s been years in the making. Cybersecurity protections have been an FDA requirement for years. The new part is a significant increase in certainty about what FDA will and will not accept. Now, it is the law: FDA will only review submissions that show a medical device is secure and securable throughout its usable life (Note: I have greatly simplified this language - see myriad other posts that pick apart the words of the law in great detail).
One might assume that a new regulation is a new burden. For many, it is the opposite; it is a relief. The new law raises the minimum bar for all manufacturers, therefore what used to be a non-competitive cost has become an opportunity for strategic advantage. For example, before the law, investment in automated vulnerability management may have resulted in strategic disadvantages (e.g., it could cost market share, delay to market, or increase ongoing marginal costs) without increasing profits (i.e., customers don’t pay a premium for high-quality vulnerability management). Now, since all manufacturers face vulnerability management requirements from FDA, investment in better vulnerability management will provide an edge via faster or more certain regulatory approval.
From the top 10 large manufacturers to small startups building their first device, cybersecurity requirements have been a burden because they were unpredictable. I have spent a lot of time with manufacturers who were trying to figure out whether they should self-impose cybersecurity requirements, and if so which? Cybersecurity requirements vary by device, use context, level of network connectivity, and more. Cybersecurity for medical devices is expensive, cybersecurity experts are in demand and hard to retain, many standard cybersecurity tools are not usable in clinical settings (e.g., requiring multi-factor authentication from a surgeon before surgery is a usability-security tradeoff), and there are significant barriers to addressing cybersecurity basics.
Now, instead of spending many cycles at leadership levels trying to figure out what policies should govern all development, the policies can be relatively easily written and the focus can turn to engineering or procuring the best solutions. In short, manufacturers can move from discussing "whether" or “what,” to designing “how” to do it. And that is easier for organizations.
Figuring out how to do it is a lot easier than figuring out what to do or whether to do it.
What a relief!
~Shannon, the Optimistic Optimizer