FDA's New Refuse-to-Accept Authority & How SBOMs Can Help

The FDA plays a critical role in regulating medical devices and ensuring their safety and effectiveness, including their cybersecurity. The United States Food and Drug Administration has released guidance documents and recommendations for medical device cybersecurity, and has also established a premarket cybersecurity review program to assess the cybersecurity of new medical devices before they are approved for sale.

By establishing standards and guidelines for medical device cybersecurity, the FDA is helping to ensure that medical devices are designed and developed with security in mind. Additionally, the FDA's premarket cybersecurity review program helps to identify and mitigate cybersecurity vulnerabilities in new medical devices before they enter the market, reducing the risk of cyber attacks and protecting patient safety.

In 2022, the Consolidated Appropriations Act, 2023 ("Omnibus") was signed into law. Section 3305 of the Omnibus bill featured an amendment, section 524B, entitled "Ensuring Cybersecurity of Medical Devices," which takes the cybersecurity of medical devices seriously because the agency is moving from recommended guidance to a Refuse to Accept stance on submissions received. 

Effective today, March 29, 2023, the FDA has significantly increased their role in regulating the cybersecurity requirements of medical devices by instituting an RTA (Refuse to Accept) decision for premarket cybersecurity submissions. Essentially this grants the agency statutory authority to accept or refuse submissions based on whether they have meet all aspects of section 524B.

What does this Mean? 

First, this means that the RTA is a forcing function for product manufacturers to ensure the completeness of their submission to comply with the FDA’s suggested guidance. However, it's not like they will flat-out turn manufacturers away. Yet. If they deem the cybersecurity submission as not up to standard, they will work with OEMs through October 1, 2023, to ensure that all information and requirements are met as outlined in section 524B.

This is an enormous shift and might cause some pain for OEMs who rely on the revenue their connected products can fetch on the market. The reality is the level of connectedness introduces a substantial amount of risk, along with an always-expanding attack surface that can offer up low-hanging fruit for attackers if they are aware of device vulnerabilities. 

While healthcare providers and medical device manufacturers have a crucial role to play in securing medical devices, the FDA's role in medical device cybersecurity is also essential. The FDA's guidance, recommendations, and premarket cybersecurity review program help to establish standards and best practices for medical device cybersecurity, protecting patients from cyber attacks, and ensuring the safety and effectiveness of medical devices.

The CBOM Requirement - A Big Part of Section 524B

The FDA's role in medical device cybersecurity will become even more important, starting on March 29, 2023, when the FDA will begin enforcing the Cybersecurity Bill of Materials (CBOM) requirement for medical devices. The CBOM is a new requirement that will mandate medical device manufacturers to disclose a comprehensive list of software and hardware components used in their medical devices, including third-party software and open-source components.

This new requirement will give the FDA greater visibility into the security of medical devices and allow the agency to better assess the risk of cyber attacks. The CBOM will also enable healthcare providers to better manage the security of the medical devices they use, by allowing them to identify and address potential vulnerabilities.

The FDA's authority to enforce the CBOM requirement is an important step in improving medical device cybersecurity, and underscores the agency's commitment to ensuring the safety and effectiveness of medical devices. It also highlights the importance of collaboration between healthcare providers, medical device manufacturers, and regulatory agencies in addressing the growing threat of cyber attacks on medical devices.

This expanded authority in medical device cybersecurity, particularly with the enforcement of the CBOM requirement, will help to improve the security of medical devices and better protect patients from cyber attacks. It is an important step towards a safer healthcare ecosystem, and highlights the ongoing efforts to ensure that medical devices are designed, developed, and used with security in mind.

How do Medical Device Manufacturers comply with the FDA's CBOM Requirement?

To comply with the FDA's new Cybersecurity Bill of Materials (CBOM) requirement, medical device manufacturers should take the following steps:

• Establish a comprehensive inventory of all software and hardware components used in their medical devices, including third-party components and open-source software.
• Develop a process for identifying and managing vulnerabilities in these components, and establish procedures for assessing the risk of cyber attacks.
• Establish a system for tracking and updating the components used in their medical devices, and maintain accurate records of all changes.
• Implement a plan for communicating with healthcare providers and other stakeholders regarding any vulnerabilities or updates to the components used in their medical devices.
• Develop and implement policies and procedures for ongoing cybersecurity risk management, including regular vulnerability assessments, incident response planning, and employee training.
• Ensure that all stakeholders involved in the design, development, deployment, and use of medical devices are aware of and comply with the CBOM requirement.

It's worth noting that compliance with the CBOM requirement is just one aspect of medical device cybersecurity. Medical device manufacturers should also follow best practices for securing medical devices, including risk assessments, threat modeling, and ongoing security monitoring. 

The CBOM is Cool. But Don’t Forget About the SBOM

AppSec and Product Security teams should focus on creating a Software Bill of Materials (SBOM) as a critical component of complying with the new Cybersecurity Bill of Materials (CBOM) requirement. An SBOM for medical devices is a detailed list of all the software components that are used in a medical device, including information about the version, supplier, and any known vulnerabilities or dependencies. An SBOM is a key component of the CBOM requirement and will help manufacturers and stakeholders to assess the security posture of a medical device and identify potential risks.

Creating an SBOM  for medical devices can be a challenging task, especially for complex devices that use a wide variety of software components. Manufacturers will need to work with their suppliers to obtain information about the software components they use, and then compile that information into a comprehensive and accurate SBOM.

Additionally, manufacturers will need to ensure that the SBOM for medical devices is regularly updated to reflect changes in the software components used in their devices.

By creating an accurate and up-to-date SBOM, manufacturers will be able to better understand the security risks associated with their medical devices, and take steps to mitigate those risks. 

In addition, healthcare providers and other stakeholders will be able to use the SBOM to manage the security of the devices they use, and to make informed decisions about which devices to deploy in their organizations.

In summary, the creation of an SBOM for medical devices is a critical component of complying with the new CBOM requirement. Manufacturers should prioritize the creation of an accurate and up-to-date SBOM for their medical devices, and work with their suppliers and other stakeholders to ensure that the SBOM is comprehensive and effective in managing cybersecurity risks.

How Finite State's Next Generation Platform can help

Finite State’s Next Generation Platform is a SaaS-based solution that leverages over 2 billion data points to accurately analyze software and firmware artifacts, with the ability to ingest, aggregate, and correlate over 120 external sources for a fully prioritized risk view.

The platform is the most comprehensive solution for generating, collecting, visualizing, and distributing SBOMs and can help medical device manufacturers: 

• Generate and manage SBOMs in any format to enable software transparency
• Orchestrate and correlate scan findings from 120+ scanning tools
• Monitor Application and Product Security risk across product portfolios with dynamic risk scoring to prioritize critical findings
• Leverage world-class binary SCA to Generate the market’s most thorough and accurate SBOMs with world-class binary SCA (software composition analysis)

Learn more here!