FDA lays out 2025 medical device guidance agenda
Medical devices are everywhere. Broadly defined by the World Health Organization (WHO) as “any instrument, apparatus, implement, machine, appliance, implant, reagent for in vitro use, software, material or other similar or related article, intended by the manufacturer to be used, alone or in combination for a medical purpose,” there are probably fewer things in the healthcare setting that aren’t classified as medical devices compared to those that are.
In fact, there are more than 2 million different kinds of devices that fit under this definition on the world market, categorized into more than 7000 unique categories, WHO says. In the United States, the FDA has regulatory authority over all of them, including the latest generation of AI-driven software tools designed to aid in treatment.
That’s a lot of responsibility for a single agency, especially one that also has oversight into other critical areas of public health and medical care – and especially in an environment where many of the nation’s medical devices are extremely vulnerable to cybersecurity attacks.
The Government Accountability Office (GAO) states that as of January 2022, 53% of internet-connected medical devices in hospitals had known critical vulnerabilities, with average of 6.2 vulnerabilities in each device. Approximately a third of connected devices had an identified critical risk that could compromise its individual effectiveness or even serve as a way in to disrupting broader hospital operations.
These may include the nearly 7000 US-based devices that have IP addresses connected to the public internet, according to recent research by Censys, a cybersecurity firm. Open DICOM ports and DICOM-enabled web interfaces, which are used for exchanging and viewing imaging tests, account for 36% of the exposures, while EMRs are responsible for more than a quarter (28%) of unsecured IP addresses. Epic Systems products are the top culprit, the company says, accounting for more than 90% of the exposed EMR addresses.
In such a vast, complicated, and dangerous environment, what is a regulatory agency to do? The answer is to issue guidance documents, which act as signposts for the industry leading them toward more proactive, uniform, and comprehensive responses to known issues facing developers and users.
In 2025, the FDA is planning to continue its long history of setting guardrails for the medical device community with a series of publications centered on bolstering cybersecurity, trust, and safety in the age of AI.
Recently the FDA Center for Devices and Radiological Health (CDRH), which is responsible for medical device oversight, shared a list of its top publication priorities for the next twelve months, divided into “A-list” and “B-list” documents, completion of which depends on funding, resources, and timing.
On the A-list are topics such as the security-focused “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Guidance for Industry and Food and Drug Administration Staff,” as well direction for the industry around AI-driven tools, such as a document entitled “Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence-Enabled Device Software Functions.”
Top priorities also include updates to existing guidance on the use of real-world evidence to support regulatory decision-making for medical devices as well as proposed revisions to guidance on the 510(k) Third Party Review Program and Emergency Use Authorization (EUA) Review processes.
The FDA is also planning to release draft guidance on lifecycle management considerations for AI-enabled device software functions and pre-market submission considerations.
On the much shorter B-list are a final guidance document entitled “Computer Software Assurance for Production and Quality System Software” and draft guidance addressing policies for regulatory status of device software functions.
The FDA is seeking comment on all of these topics, specifically around whether or not it’s gotten its priorities right. Members of the healthcare community are encouraged to share their opinions on what should come first, and are also invited to share their opinions on what topics should be included in each of these subject matter areas. Instructions on how to comment are available toward the bottom of this page.
Active participation from device developers and users will be vital for identifying and eliminating vulnerabilities that could have major consequences for individual patients and health systems alike. With artificial intelligence dramatically changing both the way devices function and the way cybercriminals find their way into systems, it is vital for industry stakeholders to work closely with regulators to close gaps and ensure the safety and security of all medical device users.
Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry. Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system. She can be reached at jennifer@inklesscreative.com.