• There are no suggestions because the search field is empty.

FDA and Cybersecurity for SaMD

Posted by Sierra Labs on Aug 7, 2023 10:52:00 AM

The implications cybersecurity regulations and standards will have on your Medical Device development!

Hero-072The healthcare industry has seen a drastic increase in data breaches over the last few years. In 2021 alone, there were nearly 600 data breaches affecting more than 41 million patient data, as reported by the U.S. Department of Health and Human Services. The FDA has decided to ramp up measures on cybersecurity safety and effectiveness for medical devices. Here is what these new updates mean to you and your medical device company!

Legal Challenges of Cyber Threats

Cyber breaches and major data hacks have put medical device companies at the forefront of legal battles. Since 2019, the number of data breaches has grown on average by 10% every year! Cyber attacks are costing businesses an increasing amount of money. These costs include turnover for customer service, revenue lost due to system downtime, and acquiring new clients because their reputation has diminished as well

The majority of healthcare organizations are not fully utilizing security automation tools. According to IBM, only 23% have implemented new technologies into their daily workflows and processes, which can leave them vulnerable to cyber attacks or other malicious activity. After the pandemic, the medical device industry has moved collectively to a more digital landscape with patients relying heavily on laptops for medical treatments. This leaves individuals and entire hospital networks susceptible for cyber hacks due to the number of medical device technologies being adopted by these same groups who rely on sensitive data or PHI.

New Budget for Cybersecurity

The FDA is increasing its budget by $5.5 million dedicated toward a new cybersecurity program aiming to protect devices from ransomware and cyber threats. At this time, the organization only has very limited people supporting cybersecurity efforts.

The first step toward revamping its program is hiring experts in the field that understand current cybersecurity standards imposed by organizations like HIPAA and GDPR in order to build a more well-rounded process for reviewing devices that gather or use data. Yet, a major problem the agency faces is the hefty salaries that cyber experts are requesting in today’s market.

If you’d like to learn more about how your medical device can get one step closer to GDPR or HIPAA compliance, download our ebook today!

A potential solution they have discussed in their guidance is using a part of the budget to train staff internally on new cybersecurity measures. This will improve how the agency reviews market submissions by medical device companies by adding a checklist.

New Measures for Premarket Submissions

The FDA is expanding on its 2014 recommendations by providing more details about how device manufacturers should integrate cybersecurity considerations into their quality systems and what information they need to include in premarket submissions (PMAs, 510(k)s, de novo).

The FDA is aware that currently there are no federal regulations requiring manufacturers of medical devices to address cybersecurity. There is a lack of post-market surveillance for current medical devices in the market. New revisions will force companies whose medical solutions are operating within hospitals and healthcare partners to have a plan for correcting potential data breaches. 

New premarket submissions must contain evidence showing reasonable assurance for “safety and effectiveness”. To achieve this, all medical device companies will have to submit a software bill of materials (SBOMs) detailing commercial, open-source, and off-the-shelf software components used by the manufacturer(s). The second part of this new revision for submission is ensuring each company has a protocol in place to offer full transparency of software updates, patches, and potential breaches in an effort for patients and partners to be aware of all corrective and preventative actions in place.

The main requirements of the FDA are summarized below:

  1. that premarket submissions to FDA include evidence demonstrating a reasonable assurance of the device’s safety and effectiveness for purposes of cybersecurity;
  2. that marketed devices demonstrate a reasonable assurance of the device’s safety and effectiveness for purposes of cybersecurity; 
  3. that devices have the capability to be updated and patched in a timely manner; 
  4. that manufacturers provide a device Software Bill of Materials (SBOM) with their devices so users know which components of their devices are or may be subject to cyber threats;
  5. that device manufacturers publicly disclose when they learn of a cybersecurity vulnerability

How Sierra QMS can help your teams

If you want to be successful in your industry, it is important that the process of navigating regulatory requirements falls on a team with the proper tools at your disposal. Sierra QMS is designed for organizations that are looking to market their medical devices in a globally regulated environment. It is built for engineering teams to operate with their preferred tool sets while automating compliance with cyber security standards in global markets.

Here at Sierra Labs, we offer more than just an effective monitoring tool for your company. You can also count on us to provide assistance and guidance when it comes time to implement cybersecurity compliance. With our easy-to-use software, your quality manager will effortlessly access and reference the materials to perform their role.

Don't have a quality team? No worries! Sierra Labs can act as your remote quality team, helping you implement your QMS into your current operations

With Sierra QMS, we help rooted companies solidify their regulatory foundation by creating a unique and tailored quality program to meet organizational objectives with complete transparency.

Does Your Team Need Help With Cybersecurity?

Click Here for a Free Trial!

Get my Free Trial

Ask us anything.

Topics: ISO 14971, Data Security, Data Privacy, Data Requirements, Data Integrity, 21 CFR Part 820, Personal Health Information, Health Data, PHI, Medical Device Startups, Scale-ups, Cybersecurity

Recent Posts


See all

Subscribe Here