Endpoint Security , Healthcare , Industry Specific
Dr. Suzanne Schwartz explains what device makers need to know to get FDA approval
Marian Koluvasc McGee (Health InfoSec) •
April 14, 2023
FDA’s Dr. Suzanne Schwartz said the new Food and Drug Administration policy of “refusing to accept” premarket submissions for new medical devices where cybersecurity details are lacking will help prevent future legacy devices. said to help significantly improve the condition of
Related item: Webinar | Evolving Network Architectures: What You Don’t Know Can Lose You
“Ultimately, we want to be able to remove the long, long tail of legacy equipment currently in use,” said director of the Office of Strategic Partnerships and Innovation at the FDA’s Center for Equipment and Radiation Health. said Schwartz.
Beginning October 1, the FDA will require commercial devices that do not detail cybersecurity measures, including plans to address post-market vulnerabilities, methods of coordinated exploit disclosure, and software bills of materials. Reject previous submission (see: FDA will soon begin refusing medical devices on the cyber).
In the meantime, between now and October 1, the FDA also expects such cybersecurity details to be included in new device submissions, but the agency is working with manufacturers to ensure that devices Address security flaws in documentation provided by manufacturers to FDA. Schwartz told his Information Security Media Group.
The FDA was given expanded powers over medical device cybersecurity by Congress as part of the omnibus funding bill signed into law by President Joe Biden in December (see: Exclusive: FDA Leader on Impact of New Medical Device Act).
The FDA’s “do not accept” policy has existed for years, but it did not apply to medical device cybersecurity. “It’s a kind of stage gating or screening for acceptance criteria for submissions that goes into effect Oct. 1,” she said. Are all appropriate administrative elements included? If any element is missing, the submission will be immediately rejected or returned.”
“There will always be legacy devices, and those legacy devices must be cybersecured and maintained in a safe and effective manner,” she said. Current legacy devices pose significant challenges for healthcare delivery organizations in that they cannot be patched or updated and present huge exposure and attack surfaces to healthcare organizations, she says.
As the FDA’s new policy takes hold, new products enter the market and eventually become legacy devices, so it’s important to patch identified vulnerabilities and update devices without impacting performance. I can”.
In this video interview with the Information Security Media Group, Schwartz also explains:
- Why most products reviewed by the FDA are considered “cyber devices” under the new regulations.
- Details of the documents FDA currently expects as part of premarket device submissions and how their cybersecurity review is being performed.
- What’s next in FDA’s plan for medical device cybersecurity.
Schwartz supports the FDA’s Medical Device Cybersecurity Program. This includes raising awareness within the medical and public health sector, educating and conducting outreach, building partnerships and coalitions, and facilitating cooperation with other government agencies and the private sector. She also chairs her CDRH’s Cybersecurity Working Group, which is tasked with developing the FDA’s Medical Device Cybersecurity Policy, and co-chairs the Government Coordinating Council for the Healthcare and Public Health Critical Infrastructure Sector. I have served.