SAN DIEGO — Medical device cybersecurity regulation has undergone a lot of change in recent years as the Food and Drug Administration has used its new authority to more strictly oversee devices coming to market.
Michelle Jump, CEO of the cybersecurity firm MedSec, said the FDA has changed its approach from a carrot to a stick, utilizing newly granted authority from Congress and guidance documents as a stronger leverage point with industry.
The agency’s new authority comes from what is called section 524B. The section, which was added to the Federal Food, Drug and Cosmetic Act through an omnibus spending bill in late 2022, implemented stricter and more robust requirements for medical device companies, such as a plan to monitor for and identify potential cybersecurity vulnerabilities.
Along with new guidance from the agency, Jump said, section 524B has shifted how the FDA regulates medical device cybersecurity.
Jump spoke with MedTech Dive at AdvaMed’s The MedTech Conference about the FDA’s new approach to cybersecurity regulation and the biggest challenges that companies face.
This interview was edited for length and clarity.
MEDTECH DIVE: There has been a lot of change in cybersecurity regulation in the past two or three years. What has it been like to go through that, from an industry perspective?
Michelle Jump, MedSec CEO
Permission granted by MedSec
MICHELLE JUMP: When the new guidance came out, the first pre-market guidance … I read it, and there’s a lot of detail in it, but the main things the FDA is asking for has not changed. The reason people felt differently is because it also coincided with this 524B passage. When I say the carrot and stick, that’s what happened. Because the FDA had guidance. They asked, “Pretty please, will you please stop doing this?” But in order to issue a negative decision on a [medical device] submission, they had to connect it to safety or effectiveness to actually initiate that decision … In order to really hold a company’s feet to the fire, when it comes to cyber, they had to tie it back [to] safety.
What happened with 524B and the new guidance and these things — especially the 524B statutes — now, all of a sudden, the FDA just had to say you’re not providing reasonable assurance of cyber. So, all of a sudden, the things the FDA wanted companies to do became a yes or no decision on the submission. That made a huge change, because … the FDA saw a lot of products going to market that they think needed better cybersecurity, I think. And so when they got that leverage point of 524B, they now had statutory authority to rule in a way that held a stronger, tighter bar against products going to market because of the congressional authority.
When the guidance came out and 524B came out … I was a little bit flummoxed when all these companies were going, “Oh, my gosh, did you see the new guidance?” I did an analysis against what the FDA has been asking over the last 10 years, from the post-market guidance in 2016 all the way through to today, and you know what? They haven’t asked a lot of different things. They just now have a better leverage point to say no if you don’t do it.
With this change in regulatory approach, the shift from the carrot to the stick that you mentioned, do you think that’s because there was a real concern that the industry was not taking cybersecurity seriously?
That is exactly what the issue was. The FDA is very responsible for the massive shift in focusing on security that we’ve seen in this industry and beyond. The regulators of other jurisdictions have also been inspired by what the FDA has done. The FDA has led this cybersecurity working group at [the International Medical Device Regulators Forum] — alongside Canada — and they’ve really pushed the bar for what does good look like for cybersecurity.
I think the FDA should be given credit for where this industry has gone, but everybody eventually loses patience and yells at their kid, right? And I think the statutes were like, we’ve got to get to the people who are not listening … But the statutory requirements, the people who were shocked by it, were the people who were waiting to get yelled at.
Are there still challenges for companies when working with the FDA?
The concern I have is that all of these things are important, and they should be done, but we have to be aware that the business of healthcare has a limit of what people can pay for new products, what manufacturers can pay for development. And so, if the bar is too high, you could be situated where it makes it hard to launch as many products. Maybe a company, and I have no evidence of this, but you could easily see how a company is like, “Well, I would really like to connect this product, but the bar for cyber is going to mean that I have to hire a whole new team for managing in the post-market space. I have to do all these things.”
And quite honestly, there are not enough cyber people available to cover all of this work. And the cyber people who are around … they want to do the interesting stuff that brought them to cyber. So, you have to have people who are skilled enough to do the everyday maintenance that cyber requires to really be performed. And that’s what a lot of the new guidance and statutes are — ongoing vulnerability management, ongoing patching, the stuff that’s not as fun as designing new devices. But you have to have some level of understanding and security to do it well, and there just aren’t enough people out there. Teams are trying their best to train people up. They’re trying to do the things that they can.
But the thing that I’m most concerned about is the bar is pretty high, and it is going to have financial impacts to what comes out to the market and what products are allowed to stay in the market, because companies can just retire products that they may have supported longer. I’m not saying all of this is happening, but if we look at what’s the consequence of better security and a much stronger line, that could be something that happens when manufacturers are making decisions on what to do with their resources.
You mentioned that before 524B the FDA was really cooperative with companies. Has the agency maintained that level of cooperation?
The cooperation of our government partners has been a little strained because of changes in resources at the government level. I’m in international standards, and I see the FDA fighting tooth and nail to get back on the committees. They haven’t been allowed to host these big workshops like they had before. That costs money. So, I would say that in spirit, the FDA is still highly supportive of doing what needs to happen. The realities are, right now, they have some challenges with funding and availability because of the current ongoing [Reduction in Forces] in the administration.
What are some of the biggest cybersecurity challenges that companies are facing right now?
It depends on the size of the company. Because small companies are completely overwhelmed by how much paperwork they need to create, and they often start way too late. Their lives could have been much easier if they had started early, but they don’t even have the resources to know they should have started earlier. So, trying to meet the FDA bar with a small- or even mid-sized company is very hard, and doing it at the end of development is even harder.
For larger companies, it’s been not just the new products that are being released — people have been developing great, secure products for years now — it’s the realization that, okay, if we have to take this product back to market, we’re going to put in a modification 510(k). And now we’re looking at, we might not be able to do that. Because you’re starting to open up historical products that were designed as state of the art when they were developed … People have made huge strides in what they do, but hospitals use products for 10,15, 20 more years. That [legacy medical device] issue, it’s that quiet problem that keeps not surfacing because nobody knows what to do with it. Nobody’s figured that out. And I think that there’s a lot of hidden risk out there in hospitals because of the age of the products that are out there that are not patchable at this point, they’re not fixable.
