Food and Drug Administration guidance that calls for medical device manufacturers to address cybersecurity issues before their products go to market will be a challenge, particularly for small and medium-sized companies, experts say.

Even large manufacturers may have to rethink their approach and consider cybersecurity concerns for the lifetime of their products, experts say.

Internet-connected medical devices have often been suspected entry points into hospital systems, and insurance coverage for manufacturers is often written on manuscript forms.

The guidance from the FDA, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” which went into effect Oct. 1., replaces guidance issued in 2014. Class III medical devices, which are high-risk devices that are life-supporting or life-sustaining, require premarket FDA approval.

The guidance reflects statutory authority conferred on the FDA by the Food and Drug Omnibus Reform Act of 2022.

“When reviewing premarket submissions, FDA intends to assess device cybersecurity based on a number of factors including, but not limited to, the device’s ability to provide and implement” security objectives including confidentiality and “secure and timely updatability and patchability,” the guidance says.  

The FBI said in a September 2022 report that it had “identified an increasing number of vulnerabilities posed by unpatched medical devices that run on outdated software and services that lack adequate security features,” which “cyber threat actors” exploit. 

The FDA is trying to “keep up with the threats,” said Walker Taylor IV, Wilmington, North Carolina-based senior managing director of Arthur J. Gallagher & Co.’s life sciences practices group.

Even larger companies have tended to do the minimum of what is needed for cybersecurity, and until now the FDA has not pushed them very hard, said Scott Singer, interim managing director of the University of Minnesota Center for Medical Device Cybersecurity in Minneapolis. “This is kind of stepping up their game,” he said. 

“Overall, it’s overwhelmingly positive,” said Sean Burke, London-based life science practice leader at CFC Underwriting Ltd. “As an insurer, we can’t think of anything better than having some solid guidelines.”

The guidance “has all the elements of a good security program,” said Andreas Kuehlmann, executive chairman and CEO of Cycuity Inc., a San Jose, California-based cybersecurity company.  

It is aligned with cybersecurity best practices such as penetration and vulnerability testing, and security risk assessments, said Heather Hughes, vice president, engagement management, at Aon PLC’s cyber solutions division in Houston.

One of the concerns, though, is the scope of the guidance.

Manufacturers will have to consider cybersecurity for the full lifecycle of their products, from initial distribution through to the end of product life, said Benjamin M. Zegarelli, of counsel at Mintz, Levin, Cohn, Ferris, Glovsky and Popeo P.C., in New York, who is an FDA regulatory and compliance specialist.

Devices often remain in service for “quite a long time,” said Mike Rastigue, Chicago-based vice president and head of cyber risk management for Aspen Insurance Holdings Ltd.

Manufacturers will have to incur the long-term expense of maintaining cyber expertise on staff, he said.

Many manufacturers are already doing what the FDA guidance calls for, “but it helps the industry to understand the FDA’s expectations when they are designing new medical devices,” Mr. Zegarelli said.

However, “a lot of manufacturers understand how to build an insulin pump or IV machine, but the cybersecurity is a different aspect that they really haven’t considered nor understood,” said Matt Zagwoski, Philadelphia-based product leader, global life sciences, for Beazley PLC. 

Smaller manufacturers will likely have to contract with third parties to support their cybersecurity efforts, Mr. Singer said.

Cyber liability insurance coverage is available for medical device manufacturers, but it may be custom-made, observers say. “The issue is, a lot of traditional lines of coverages, like product recall, are very often looking to exclude cyber insurance,” so a manuscript policy may be necessary, Mr. Rastigue said.  

The market is competitive, while the underwriting process is rigorous, said Samantha Billy, New York-based vice president and U.S. broking growth leader at Aon. More insurers are seeking to write cyber coverage, especially if they have strong information security hygiene, she said.

Mr. Burke said, “These guidelines will bring more capacity to the table, as more insurers will find comfort in the quality and safety profiles of the products in the marketplace,” which will also lead to reduced rates.

Max Perkins, head of strategy and innovation for cyber and technology at Axis Capital Holdings Ltd. in Durham, North Carolina, warned, however, that medical device manufacturers must also ensure that their coverage extends through the life of the product.