Exclusive: FDA Leader on Impact of New Medical Device LawDr. Suzanne Schwartz on FDA's New Authority to Hold Device Makers Accountable
The $1.7 trillion omnibus spending bill signed into law last week by President Joe Biden contains new cybersecurity requirements for medical devices that make it a game changer for strengthening security within the healthcare ecosystem, says Dr. Suzanne Schwartz of the U.S. Food and Drug Administration.
"After a good number of years informing the ecosystem how critical cybersecurity is to patient safety and the security of the healthcare and public health critical infrastructure, we now have validation and acknowledgment of its criticality by having this put into law," says Schwartz, director of the Office of Strategic Partnerships and Technology Innovation at the FDA's Center for Devices and Radiological Health.
Many of the provisions included in the new legislation - the Consolidated Appropriations Act of 2023 - broadly mirror actions that the FDA has already been urging medical device makers to take in ensuring the cybersecurity of their products.
Similar proposals were also contained in a handful of previous bills aimed at improving medical device cybersecurity - such as the PATCH Act last year - that did not gain traction as stand-alone bills (see: Medical Device Security Provision Now Part of Spending Bill).
But now, under the new law, manufacturers, in their product submissions to the FDA, must include sufficient evidence of the device's ability to be updated and patched and its security controls and testing, as well as provide a software bill of materials for commercial, open-source and off-the-shelf software components.
"That is required upfront," Schwartz says in an interview with Information Security Media Group.
Life Cycle Security
While the law pertains to new products, "those measures taken in the early stages will further enable us to have far more secure devices throughout the life cycle, as those devices stay on the market and are in clinical use - as opposed to what we currently face - which have frankly been very challenging to be updated or patched in a secure manner," she says.
"Even though we have said over and over that cybersecurity of medical devices is not optional and not voluntary, we've never had until now the power of statute, of actual legislation, requiring manufacturers to address cybersecurity of medical devices," she says.
"Putting that link between reasonable assurances of safety and effectiveness of medical devices to medical device cybersecurity - that is highly significant for us," she says.
In the past, the FDA used its "implicit authority" through its quality system regulation to help advance the state of the ecosystem for cybersecurity, according to Schwartz.
"Now we have explicit authorities and oversight for doing so. That's a massive shift, and we're quite excited about what the future holds in store."
The legislation also provides the FDA with $5 million in funding to help support its expanded medical device cybersecurity regulatory efforts.
In this audio interview with Information Security Media Group (see audio link below photo), Schwartz also discusses:
- Key takeaways for medical device makers and healthcare delivery organizations regarding the potential impact of the newly enacted law and the FDA's enforcement of the new medical devices cybersecurity requirements;
- The future of the FDA's updated draft guidance for the cybersecurity of premarket medical devices issued last April;
- How the new law meshes with President Biden's 2021 executive order for bolstering cybersecurity in the federal government and the implications of other significant security provisions contained in the legislation.
Schwartz supports the FDA's medical device cybersecurity program, which includes raising awareness, educating, and conducting outreach, partnering and coalition building within the healthcare and public health sector, as well as fostering collaborations across other government agencies and the private sector. She also chairs CDRH's cybersecurity working group, tasked with formulating the FDA's medical device cybersecurity policy, and has served as co-chair of the Government Coordinating Council for the healthcare and public health critical infrastructure sector.
Marianne McGee: I'm Marianne Kolbasuk McGee, executive editor at Information Security Media Group. Today I'm speaking with Dr. Suzanne Schwartz of the FDA. Dr. Schwartz is the director of the Office of Strategic Partnerships and Technology Innovation in the FDA Center for Devices and Radiological Health. We're going to be discussing the significance of spending legislation recently signed into law by President Biden that includes requirements for medical device makers to address the cybersecurity of their connected devices. Dr. Schwartz, over the last year or so, there have been a handful of bills introduced into Congress that have included proposals that basically intended to boost FDA's authority when it comes to medical device cybersecurity. While those bills didn't gain traction. Some of the proposals ended up in H.R.2617, the Consolidated Appropriations Act of 2023 that was passed by the House in the Senate and signed into law by President Biden on December 29. That includes provisions that require medical device makers to submit detailed cybersecurity plans to the FDA, including a software bill of materials as part of their product submissions to the FDA. But as we know, the FDA has been urging medical device makers to improve the cybersecurity of their products for some time now. So what makes this legislation so significant?
Dr. Suzanne Schwartz: Thank you. Let me start off by saying that we are thrilled to receive these authorities. One of the concepts that you and I have talked about, and that I've spoken about publicly is that while we have been encouraging and urging manufacturers in the medical device space, to take up cybersecurity of medical devices from a total product lifecycle approach, from its initial design stage all the way out until those devices are essentially made end of life. We've utilized our approach through guidance, which is non-binding recommendations. Although we have said over and over again, cybersecurity of medical devices is not optional, it's not voluntary. We've never had until now the power of statute as actual legislation, requiring manufacturers to address cybersecurity of medical devices, and putting that link between reasonable assurance of safety and effectiveness of medical devices to medical device cybersecurity. That is highly significant for us. In the past, we've always used kind of our implicit authorities through the quality system regulation, in order to advance the state of the ecosystem for cybersecurity. Now, we have explicit authorities and oversight in terms of doing so. That's a massive shift for us. It's why we're quite excited about what the future holds in store.
McGee: Soon now that the FDA has this new authority, what does that mean? How will the FDA enforce the requirements that medical device makers now have for cybersecurity in their products?
Dr. Schwartz: Let me start off also by saying that these authorities, this legislation is brand new. It came over the holidays. It's a holiday gift, if you will. We at FDA really need to do a legal analysis of the statute of what we were given in terms of what its implications are to help further inform how we go forward. That will take us a little bit of time to do. I don't want to get ahead here and say, what we can do what we can do with regard to enforcement here. That will become clearer in the weeks to come as we further address this. It ultimately, though, enables us to take the pre market draft guidance that we had issued back in April of last year now, as April of 2022, which we have revised and are in the process of finalizing and make necessary changes to that guidance as we finalize it that anchors it, routes it directly into this new law. That's big! That's very big. There are going to be enforcement capabilities that we have. But once more, I'm going to pause in terms of laying out what those are until we've really done a full analysis of that.
McGee: From your perspective, what are the most important provisions of this bill that you think might have the biggest potential impact in terms of raising the bar for medical device cybersecurity law and why?
Dr. Schwartz: The provisions that are broadly speaking included within this law, very much point to the components that we've talked about in our Medical Device Safety Action Plan, they align closely with what was in our a 19 proposal in the year past. They align closely with what was in the PATCH Act, but in broad strokes, it is the requirement that manufacturers as they build and design new devices, and they come to FDA with those submissions, regardless of whether it's a class two or class three medical device, for example, that the submission has to provide sufficient evidence that meets the bar in terms of the patch ability, the update ability of the device that the device has been given the appropriate security controls and testing that has been done. That is required up front. Now recognizing that those types of steps, those measures taken in those early stages will further enable us to have far more secure devices throughout the lifecycle, as those devices stay on the market and are in clinical use, as opposed to what we currently face, which are many legacy devices out there, which, you know, frankly, have been very challenging to be able to be updated or patched in a secure manner without having any compromise to the performance for the safety of that device. I like to think about this in a way of like breaking the brittle legacy cycle as we go forward with new devices, that just simply will not be tolerable or acceptable because of what is going to be required in advance in getting those products onto the market. That's one really big, big one. Another one is the concept of coordinated vulnerability disclosure policies and processes that manufacturers now will have to comply with. It isn't just something that we have included within our post market guidance recommendations. But rather, this is heart of being compliant with medical device cybersecurity, and then importantly, the SBOM - the software bill of materials - and the requirement for manufacturers to provide that software transparency, which is something that we have been speaking about, underscoring in terms of its importance to the entire healthcare ecosystem. Now, that isn't something that is, recommended, but rather, that will be required as we move forward.
McGee: You mentioned the guidance that was introduced last April by FDA for the pre-market of medical devices that was draft guidance, updated guidance. The legislation calls for FDA to develop in consultation with CISA new cybersecurity guidance for the pre-market of medical devices within two years of this bill being enacted. With that said, will the FDA potentially use its previous updated draft guidance that was issued last spring as the foundation for the new guidance that's called for under this legislation? As we know, the guidance is generally stamped non-binding. If that's the case, will some of the recommendations that FDA made in its prior draft guidance now become requirements and not recommendations that are not non-binding? Or will these some of these things kind of transfer over into regulation versus suggestions? How will that potentially work?
Dr. Schwartz: We have enjoyed through the years a lot of work in collaboration with CISA, and I anticipate that that would continue irrespective of what's written in the in the statute, in terms of developing the premarket guidance. Going back to the draft that was issued in April 2022, and we have been in the process of finalizing it. What that enables us to do, again, is to cite now, specific references to an anchorage rooted in this new legislation. All guidance from FDA, while they state, it contains non-binding recommendations, there is also boiler template language that indicates that while these are non-binding recommendations, except for the situations where you have specific requirements per legislation or per regulation, and those can be called out. That is generally the way we frame the guidance as we go forward. The guidance will still be the agency's current thinking on how one meets the legislation or the regulation, what our recommended approach is to doing so. In that manner, it does not change. It still provides that type of clarity to the industry that we for whom we have oversight the medical device manufacturers. But what does become clear here is that in the absence of meeting the requirements, then that represents an issue of non-compliance that the agency can then have added teeth in terms of taking action.
McGee: What would you say are the most important takeaways from this legislation for medical device makers and healthcare delivery organizations regarding cybersecurity and medical devices?
Dr. Schwartz: The major takeaways are that after a good number of years of informing the ecosystem, how critical cybersecurity is to patient safety and to the security of the healthcare and public health critical infrastructure, that we now have further validation, an acknowledgement of its criticality by having this put into law. That is recognized by Congress, as well as, of course, by our stakeholders, particularly those who are on the receiving end, whether it's the healthcare providers, the clinicians, the healthcare organizations, and ultimately, our patients whom we serve, to assure that these devices are cybersecure as part of their device performance being safe and effective. This aligns very closely also with the executive order that the Biden administration had issued back in May 2021 and to which we had responded to request for information outlining the importance of requiring SBOMS, for example, as well as all of the important aspects of operational technologies, in which medical devices fall within that category, in there needing to be requirements placed in the performance of those devices in the most secure manner. We consider it a concern around patient safety. It is also clearly a matter of national security as well.
McGee: In terms of the impact on the FDA, will the FDA potentially need more internal resources such as more staff or more expertise to assess medical device cybersecurity during the approval process that medical device makers will now be faced with potentially?
Dr. Schwartz: We are delighted and very thankful as well to receive appropriations with this legislation. We received $5 million in funding for cybersecurity of medical devices. That is what we had asked for. It's a modest amount. I will say that in the future we will surely need more to continue to build out the work that we are doing the team and program as well as to make sure that we have sufficient resources. But this gets us quite far in terms of hiring the additional subject matter expertise staff, that we do need to build that bench strength as well as to further develop the necessary tools for scaling up what is ultimately a programmatic type of operation.
McGee: Thank you so much. I've been speaking to Dr. Suzanne Schwartz of the FDA. I am Marianne Kolbasuk McGee, with Information Security Media Group. Thanks for joining us.