Medical device makers in their premarket submissions to the Food and Drug Administration – under the agency’s new “refuse to accept” policy for cybersecurity – should pay especially close attention to details such as a product’s software bill of materials and vulnerability management plan, said Jessica Wilkerson, a FDA senior cybersecurity advisor.
SBOMs and vulnerability management issues have been among the top areas of difficulty for medical devices makers in premarket submissions as the agency prepares to enforce starting Oct. 1 its right to reject medical system submissions that lack particulars on cybersecurity
“Software bill of materials in many ways is still a maturing and evolving concept. And so we are one of the first federal agencies to be explicitly requiring software bill materials as part of our regulatory process,” she advised Data Safety Media Group.
The FDA can, as of October, routinely reject medical system premarket submissions that don’t embrace particular cybersecurity particulars required by the company beneath an modification Congress made to the Federal Meals Drug and Cosmetics Act and signed into legislation final December by President Joe Biden (see: FDA Finalizes Guidance Just as New Device Cyber Regs Kick In).
In its evaluation of premarket product submissions, the FDA will scrutinize whether or not a medical system is resilient to cyber threats, Wilkerson mentioned.
“Does this medical device provide a reasonable assurance that the device and related systems are cybersecure? That’s not something that can be done in a checklist fashion. That’s something that has to be taken in total from the different characteristics of the device, including things like its threat model, its update capability, its software supply chain, and some of these other things.”
The FDA has been working with medical system producers since March 29, when the refuse to just accept coverage for cybersecurity points technically went into impact, to assist makers higher perceive keep away from rejection, Wilkerson mentioned.
“The FDA has always had a very collaborative approach with the medical device manufacturer community. The reason that we’re so collaborative is we want to see advanced device capabilities get out into the market that will improve patient quality of life and patient care,” she mentioned.
Within the audio interview (see hyperlink beneath her picture, above), Wilkerson additionally discusses:
- How the FDA’s cybersecurity evaluation course of works;
- What system makers can anticipate subsequent if a product submission is rejected by the FDA primarily based on cybersecurity issues;
- How medical system makers can finest use the FDA’s newly launched, 57-page ultimate premarket medical system cybersecurity guidance to higher perceive the cyber particulars required by the company;
- How the FDA’s enhanced authority over medical system cybersecurity will have an effect on healthcare supply organizations that use the merchandise and their sufferers;
- FDA’s different earlier and future actions round medical system cybersecurity, together with legacy merchandise.
Wilkerson is senior cyber coverage advisor and medical system cybersecurity workforce lead with the All Hazards Readiness, Response, and Cybersecurity, or ARC workforce within the Middle for Gadgets and Radiological Well being inside the FDA. As a part of ARC, she examines points and develops coverage associated to the security and effectiveness of linked medical units.
Date: 2023-09-30 08:46:54