Less than two months ago, the Food and Drug Administration (FDA) issued new cybersecurity guidance for medical devices as a follow-up to the Omnibus funding legislation adopted by Congress in December 2022. 

On our latest (and 18th!) episode of our podcast, IoT: The Internet of Threats, we welcomed back Larry Pesce, Director of Product Security Research and Analysis at Finite State, to discuss these changes to the FDA's cybersecurity regulations for medical devices.

Decoding the FDA's RTA Decision Process and Its Impact on Connected Medical Devices

"The biggest change comes down to that initial submission where the FDA now has that initial right to refuse. You need a plan for ongoing maintenance, to be mindful of the security industry and new vulnerabilities, and a plan for patching," Larry explains on the episode.

New guidance now requires medical device manufacturers to submit a plan on how they will monitor, identify, and address cybersecurity issues within their devices. In addition, manufacturers must create a process that offers reasonable assurance of device protection from cybersecurity threats, including plans for regular security updates and ad-hoc fixes for critical situations.

In a new twist, the FDA now requires manufacturers to provide a cyber bill of materials (CBOM), including a software bill of materials (SBOM) and a hardware bill of materials (HBOM) with their premarket submissions. The CBOM is significant as it allows for better tracking of potential vulnerabilities in specific hardware components, adding another layer of security to the devices.

What Do the FDA's RTA Changes Mean for Future Medical Devices?

How prepared are medical device manufacturers for this change?

As Larry points out, this will depend on the individual manufacturer. Some already go above and beyond the requirements due to a strong sense of pride in their work, while others may be driven more by the risk of liability.

The biggest change, according to Larry, comes down to the initial submission to the FDA. If a manufacturer doesn't have a comprehensive plan for ongoing maintenance or a robust CBOM at the time of submission, the FDA now has the right to refuse to accept (RTA) the application.

Asked whether manufacturers will need to invest significant effort to meet these new requirements, Larry says this will depend on their current practices. Some may already be doing some of this work, but perhaps not to the depth that is now required. Others may need to put in more effort to meet these new standards.

Interestingly, Larry points out that some manufacturers who have already experienced cybersecurity compromises might be better prepared for these new requirements. These companies have learned the hard way the importance of taking cybersecurity seriously and are likely further ahead in their processes.

To find out more about the future of cybersecurity in medical devices, and to hear Larry's insights in full, tune into our latest podcast episode.

It's a compelling exploration of a rapidly evolving field that is set to transform the medical device industry.

Episode Links

In this episode, Eric and Larry discuss the:

  • FDA's new Refuse-To-Accept (RTA) decision authority and what it means for SBOMs and the premarket submissions of medical devices
  • Whether the medical device sector is adequately prepared for these changes
  • How the new regulations may alter the liability vs. risk tolerance question for medical device manufacturers
  • The extent to which the FDA will rigorously enforce the new premarket submission requirements
  • The potential qualitative difference this new regulation may bring to the the overall security of medical devices
  • How cyberattacks often lead companies to make meaningful, lasting changes in their cybersecurity practices

All episodes of Finite State’s “IoT: The Internet of Threats” podcast can be heard on Spotify, Apple Podcasts, and Google Podcasts.

Listen to this episode in its entirety below!