In December 2022, President Biden signed the Consolidated Appropriations Act, 2023. Section 3305 of the law provides the FDA with authority to establish cybersecurity standards for medical device premarket submissions including known or possible vulnerabilities in the design, development and maintenance (post market) processes.
The law aims to provide reasonable assurance that the device and related system ecosystem are cybersecure. To do so:
Medical device companies must prove any connected medical device has a comprehensive plan to monitor, update and fix a deployed device should any security vulnerabilities arise. A related requirement is a patching and maintenance plan that ensures the device and system remains cybersecure.
Further, sponsors of device submission must provide a software bill of materials (SBOM) that includes commercial, open-source, and off-the-shelf software and cloud components. The documentation must demonstrate reasonable assurance that the device and systems are cybersecure.
The new law also extends this standard of responsibility to already 510(k) certified devices - even if there is no change to Intended Use. In the past, only changes would drive the need for new regulatory alignment. Now, the FDA has the authority to force companies to comply, even previously cleared commercial devices.
For those of you already using BioT’s platform - you can take a deep breath and continue focusing on your medical innovation.
Foundational Security Architecture and Quality Processes
From its inception, cybersecurity has been, and remains to be BioT’s top priority. Our Platform was designed from the ground up with cybersecurity the foundational requirement of its architecture, approach and artifacts.
Additionally, BioT’s ISO 13485-certified quality management system (QMS) continuously monitors, identifies and fixes any cybersecurity vulnerabilities as soon as they are discovered. We employ multiple methods for monitoring and identifying cybersecurity issues, including:
To the last point, BioT is an Amazon Web Services (AWS) Advanced Technology Partner. A mandatory requirement for Advanced status is passing successfully an AWS Well-Architected Review, the deepest audit AWS conducts on its Partners. One critical review pillar is strict security best practices. BioT achieved Advance recognition in 2019, and did so with unprecedented grades.
Verified and Validated Software Bill of Materials (SBOM)
As for the SBOM requirement, BioT’s IEC 62304-compliant Design History File (DHF) encompasses the critical categories needed for submission; with every update of BioT, the SBOM is updated as part of the entire DHF update. In turn, we remove this time-consuming and resource-intensive task from our clients and accelerate their trial and commercialization execution.
Also, BioT conforms to EU and other cybersecurity laws beyond the US. We have an online published listing of our SaaS suppliers, making it easier for customers and auditors to trace the cyber incidents of our suppliers and assess the impact.
As a developer-first platform, BioT is currently the only platform on which developers who deploy their code, gain complete cybersecurity protection for their code and don’t have to worry about protecting it.
By hosting the code as a BioT Plugin, we provide a secure sandbox for algorithms to execute within, while we guard all data transmissions in and out. Therefore, the same cybersecurity measures we employ also guard custom algorithms or other code clients deploy on BioT.
At BioT, we applaud the FDA’s ratifying cybersecurity due diligence and processes. And, our clients benefit from the fact that BioT has been doing it since 2018 and continues it as a foundational benefit of our Platform as a Service.
If you have any questions, please reach out to us and one of our experts will gladly discuss this with you.
The full legislation is at page 3,537, line 18 of https://www.appropriations.senate.gov/imo/media/doc/JRQ121922
The resulting FDA guidance is at https://www.fda.gov/media/166614/download