Cybersecurity breaches involving medical devices can have severe consequences, threatening patient safety and privacy. However, securing these devices is complex and resource intensive. The guidelines and regulations for medical device cybersecurity are comprehensive, technical, and regularly updated to address emerging threats and vulnerabilities, making aligning to them a continual process rather than a one-time effort. Healthcare delivery organizations (HDOs) and individual patients continue to drive increasing security requirements for medical device manufacturers, often accelerated by broader healthcare breaches.
Manufacturers must first navigate the US FDA approval process for medical devices, which requires a rigorous demonstration of safety and efficacy with cybersecurity measures. Section 3305 of the Food and Drug Omnibus Reform Act of 2022 (“FDORA”) added new authorities for the FDA to enable the FDA to require certain cybersecurity information for approval submissions. In September 2023, the FDA updated its pre-market guidance for devices with new guidelines that significantly raised the expectation for cybersecurity. This was followed by a March 2024 draft guidance document from the FDA that proposed additional cybersecurity expectations.
Beyond the US FDA, there is now a global landscape of dozens of medical device security-relevant regulations that manufacturers must navigate, such as IMDRF guidance, the EU MDR, and China’s CSL.
With the continuous evolution of cybersecurity standards and practices, manufacturers face the daunting task of ensuring their devices meet and maintain compliance with the latest recommendations and requirements.
How can KPMG help?
To address these challenges, our experienced team of life-science subject matter professionals can help assess your medical device security program and device features and also help you improve processes and technology to better align with the FDA, other global guidance, and customer expectations. We can support you with:
- Current State Assessments (holistic, regulation-specific, or customized)
- Strategy, Roadmap, Operating Model, and Business Case Development
- Coordinated Vulnerability Disclosure (CVD) Program Building
- Security Reference Architecture Development
- Software Bill of Materials (SBOM) Support
- ...and more.
Beyond the above, our team of seasoned medical device security professionals also has insight across the industry and regulatory environment and is happy to be available for knowledge-sharing sessions to keep you informed on the latest developments.
