With new regulations, medtech companies should assess cyber risk

ARTICLE | January 24, 2024

Authored by RSM US LLP

Medtech companies are increasingly grappling with significant business risks related to the management and protection of patient device data. As the industry intensifies its collection, transmission, storage and analysis of confidential patient data, it faces heightened scrutiny from various stakeholders. Investors, both before and after committing funds, are now demanding clear demonstrations of robust cybersecurity capabilities. This scrutiny extends to the highest levels of corporate governance, with executives and board members intensifying their focus on ensuring that, at the very least, essential business operations are securely managed.

Additionally, cyber insurance providers are setting stringent prerequisites for foundational cybersecurity measures before offering coverage, reflecting the growing recognition of these risks. Compounding these challenges are evolving regulatory landscapes. New Food and Drug Administration (FDA) regulations and U.S. Securities and Exchange Commission (SEC) cyber disclosure mandates are placing additional burdens on medtech companies. These regulations not only increase the complexity of compliance but also underscore the critical importance of safeguarding patient data against cyberthreats. The convergence of these external pressures underscores the urgent need for medtech companies to prioritize and enhance their cybersecurity strategies to mitigate business risks and protect sensitive patient information.

FDA cyber requirements

On Dec. 29, 2022, the Consolidated Appropriations Act, 2023, was signed, introducing a major change to the Federal Food, Drug, and Cosmetic Act. This change, specifically in section 3305, added new cybersecurity requirements for medical devices. From Oct. 1, 2023, these new rules became mandatory for all cyber device manufacturers seeking FDA approval. Further guidance was provided by the FDA in collaboration with MITRE Corporation, released on Nov. 15, 2023. These regulations are now mandatory for manufacturers seeking FDA approval for cyber devices, encompassing 510(k), premarket approval application, product development protocol, de novo, or humanitarian device exemption submission types. Additionally, any modifications to previously authorized devices that necessitate FDA review must also adhere to these new cybersecurity standards.

Section 524B of the Act delineates specific requirements for cyber devices, emphasizing a proactive and comprehensive approach to cybersecurity. Key mandates include:

• The creation of a documented plan for ongoing monitoring of devices to identify and address post market vulnerabilities.
• The establishment of processes and procedures that support this plan, ensuring robust security measures are in place.
• The requirement to produce a software bill of materials for each device, detailing the software components and their patch statuses to continuously demonstrate that vulnerabilities have been mitigated.
• Adherence to additional security-related regulations as established by the FDA.

These requirements underscore the FDA’s commitment to elevating cybersecurity standards in the cyber device sector, particularly in medical technology, to safeguard against historical and emerging threats while ensuring patient safety.

SEC cyber disclosure rules

The SEC introduced a significant rule on cybersecurity risk management, strategy, governance and incident disclosure, effective mid-December 2023. This rule, announced on July 26, 2023, presents significant implications for medtech companies, a sector known for its unique technological and operational challenges.

The key aspects of this new rule relate to the following three requirements:

1. Enhancing transparency and investor protection: The SEC's regulations are designed to ensure that investors and the market have clear and timely information about cybersecurity risks and incidents. This transparency is vital for investors to make informed decisions.
2. Standardizing disclosures: By standardizing the way companies report cybersecurity incidents and their risk management strategies, the SEC aims to create a level playing field. This helps investors compare and assess how different companies manage cyber risks, including board of director oversight.
3. Promoting proactive risk management: The regulations encourage companies to proactively manage and mitigate cybersecurity risks. This is not just about compliance, but about safeguarding the company's digital assets and reputation.

The implications for any public company relate to additional reporting requirements as they relate to material cybersecurity incidents, annual disclosures on cybersecurity risk management strategies and governance, and additional board involvement with cybersecurity risk.

Medtech companies often grapple with legacy systems and products. Many medical devices in use today are based on outdated software, lacking regular updates, which poses a substantial cybersecurity risk. Additionally, these devices are frequently dispersed across various health care settings, from hospitals to small clinics, increasing the risk of unauthorized access. The industry's traditional approach to security, primarily through network segmentation or disabling networking features, may no longer suffice in the face of evolving cyberthreats. Moreover, the increasing trend of connected medical devices, driven by the consumerization of health care, adds another layer of complexity to cybersecurity management.

To comply with the SEC's new cyber disclosure rule, medtech companies must adopt a comprehensive approach. This involves updating enterprise governance models and ensuring that cybersecurity is integrated into product development from the outset. Regular risk assessments, continuous monitoring and incident response plans are crucial. Companies must also focus on modernizing their device security, setting clear timelines for phasing out legacy systems, and enhancing their testing and training protocols to keep pace with the evolving cybersecurity landscape. Collaboration with health care systems is key for securing products, modernizing device security and facilitating the adoption of automatic updates. By addressing these areas, medtech companies can not only comply with the SEC's requirements but also reinforce their commitment to patient safety and data security.

Recommended next steps

Medtech companies should analyze the current state of their cybersecurity program to understand how well capabilities are aligned with the newer regulatory requirements. Where gaps are identified, organizations should develop a tactical and strategic plan to gain assurance that requirements are met. As part of this analysis, the following areas should be assessed for FDA and SEC requirements:

• Software bill of materials: Maintain an inventory of the hardware and software enabling medtech devices, including tracking of patch levels and vulnerabilities.
• Cybersecurity governance: Demonstrate reporting to the board of directors on a defined cadence to articulate cybersecurity risks, mitigation plans and accomplishments.
• Cybersecurity risk management: Show a recurring ability to identify risks and develop mitigation plans to decrease the likelihood and/or impact of a risk. As part of this process, determine risks that could be material to the company for annual reporting.
• Incident response: Ensure formal and robust capabilities are in place to identify and respond to cybersecurity incidents. Procedures should be documented within an incident response plan that is tested with all stakeholders, including the business (e.g., finance and legal). Either within the plan or independently, establish thresholds for materiality determination and a process to disclosure incidents determined to be material within the required four days.