1. You are here:
  2. Homepage
  3. News & Insights Search
  4. Device cybersecurity must be a priority from design through retirement, experts say

rf-fullcolor.png

 

Regulatory News
December 1, 2023
by Michele G. Sullivan

Device cybersecurity must be a priority from design through retirement, experts say

Fort Worth, TX – Cybersecurity must be a priority for any medical device that connects to the internet, from its earliest design phase to the end of its product lifetime, said a panel of experts who spoke at the 2023 Combination Products Summit held by the AFDO/RAPS Healthcare Products Collaborative.
 
“Cybersecurity definitely spans the total product lifecycle,” said Aftin Ross, acting deputy director of the Division of All Hazards Response, Science and Strategic Partnerships at the US Food and Drug Administration (FDA) Center for Devices and Radiological Health (CDRH).
 
“This is a shared responsibility,” between manufacturers and regulators, she said. “You have to think about it very early on in development, all the way through the obsolescence of your device. It's critical that you start thinking about that at the beginning because it is very challenging to try to bolt it on at the end.”
 
It’s been a banner 13 months for cybersecurity actions at the FDA, Ross said.
 
In December 2022, Congress granted the agency new authority to require cybersecurity features in internet-connectable devices. Section 524B of the Food Drug and Cosmetic Act, “Ensuring Cybersecurity of Devices,” was signed into law as part of the Food and Drug Omnibus Reform Act (FDORA). It applies to prospective submissions for so-called cyber-devices under the 510(k), de novo, and the humanitarian device exemption, product development protocol, and premarket approval pathways.
 
Shortly thereafter, the agency issued final guidance explaining its approach to exercising its new authority to require certain cybersecurity information in medical device submissions (RELATED: FDA final guidance explains its cybersecurity RTA policy for devices, Regulatory Focus, 29 March 2023). In short, medical device sponsors will get “refuse to accept” decisions if the agency thinks a product doesn’t meet its cybersecurity requirements. And in late September, CDRH finalized a 57-page guidance detailing how sponsors must develop any device that has the capability to connect to the internet, making it potentially vulnerable to a cybersecurity threat (RELATED: FDA premarket cybersecurity guidance clarifies SBOM requirements, Regulatory Focus, 28 September 2023).
 
Section 524B(c) details the types of medical devices that are subject to the law. A cyber-device will have three specific characteristics, Ross said. It has software validated, installed, or authorized by the sponsor; it has the ability to connect to the internet; and it contains technological characteristics authorized by the sponsor which could be vulnerable to cybersecurity threats.
 
The law details the sponsor’s responsibilities in developing, maintaining and retiring such a product, Ross said. Sponsors must submit a plan to monitor and address any cybersecurity vulnerabilities that appear in the postmarketing period. They also have to develop processes that provide “reasonable assurance” that the device and its systems are secure, and design secure methods of updating the software with postmarket information, including security patches. They have to provide the FDA with all the device’s software components, whether they are commercial, open-source, or off-the-shelf.
 
The regulation is designed to get manufacturers thinking not just about the device’s security but about the security of the entire system in which it operates, for the entire lifetime of the product, Ross said. This is especially important in an era where both the technology and the security threats to it evolve continuously and rapidly.
 
The final premarket guidance released in September contains recommendations to help manufacturers comply with these requirements. In particular, it addresses how cybersecurity fits into the Quality System Requirements (21 CFR part 820) and premarket submission documentation requirements. These issues will be explained in detail soon, Ross said. “We are working to update eSTAR [Electronic Submission Template for Medical Device 510(k) Submissions] to walk you through the guidance as well as additional 524B content.” She didn’t say when this update would be complete.
 
The agency’s cybersecurity concerns don’t just focus on new products, Ross said. Earlier this month, an FDA-commissioned report tackled the problem of cyber threats to legacy devices (RELATED: Legacy devices report highlights need for data to support future policies, Regulatory Focus, 17 November 2023).
 
“We recognize the Total Product Life Cycle and that devices do get used beyond their intended lifetime,” Ross said. “We emphasize in this guidance that ‘legacy’ isn’t just a function of age. We’re talking about devices that cannot be reasonably protected against current cybersecurity threats.”
 
Products like these, which can’t be updated to withstand the current and evolving sophistication of cybersecurity attacks, “will continue to be that thorn in the side for manufacturers,” said Edison Alvarez, senior director of regulatory strategic planning for cybersecurity at BD. “Any changes at all to legacy products will then force that product to come into compliance with these new cybersecurity regulations,” and that can be a very expensive headache.
 
“Most of us didn’t build any cybersecurity features into legacy products because that just wasn’t a thing back then,” Alvarez said. “So I jokingly say, don’t open Pandora’s box if you’re going to try to change a product. They may be great products, serving their purpose and providing patient care, but they’re also starting to accumulate risks and exploitability. It’s becoming a very difficult thing to manage over time. Even to make a subtle change can be a huge drain on resources and cost.”
“In the past, having a product out in the field for 20 years was a sign that you did a great job,” Alvarez said. “That same product now is actually introducing risks.”
 
2023 Combination Products Summit

Related topics

Combination Products/companion diagnostics Digital health/SaMD/AI Product development Risk management United States
Return to listing

Recommended content

FDA_Badge2_260326_ALF.png
01 Apr 2026

FDA warns device maker, contract testing lab for GMP violations

The US Food and Drug Administration (FDA) has cited a medical device manufacturer and a contract drug testing laboratory for violations of current good manufacturing practices (CGMP). Additionally, regulators said the medical device maker has been selling products without marketing authorization, despite the company arguing that its products should be considered pre-amendment devices and therefore not regulated by the agency.

Regulatory News

Regulatory Affairs Professionals Society (RAPS)
5635 Fishers Lane, Suite 400
Rockville, Maryland 20852

Telephone: +1 301 770 2920
Fax: +1 301 841 7956

Email:  [email protected]

Design & Development by Pixl8
Membership software by ReadyMembership

Regulatory Affairs Professionals Society (RAPS)

© 2026 Regulatory Affairs Professionals Society

×

Welcome to the new RAPS Digital Experience

We have completed our migration to a new platform and are pleased to introduce the updated site.

What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.

We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.

We welcome your feedback. Please let us know how we can continue to improve your experience.