The FDA’s new cybersecurity requirements for device review are now in effect, but the agency says it doesn’t plan on rejecting submissions for noncompliance until later this year.
Medical device developers must now include cybersecurity plans in their applications or submissions for regulatory review of cyber devices.
The FDA said its new powers under recent legislation “represent a significant step forward in the FDA’s role in regulating cybersecurity as part of a medical device’s safety and effectiveness.”
What are cyber devices?
The new requirements define cyber devices as any device that “includes software validated, installed, or authorized by the sponsor as a device or in a device; has the ability to connect to the internet; and contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.”
The new rules cover cyber devices seeking approval or clearance under the 510(k), de novo, premarket approval (PMA) and humanitarian device exemption pathways.
Filings for cyber devices must now include “a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.”
Device developers must also “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address — on a reasonably justified regular cycle, known unacceptable vulnerabilities; and as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks.
Finally, the FDA directed developers of cyber devices filing for review to “provide a software bill of materials, including commercial, open-source, and off-the-shelf software components.”
The new rules also leave the door open for other potential regulatory requirements needed “to demonstrate reasonable assurance that the device and related systems are cybersecure.”
What led to the new cyber device regulation?
The change comes through amendments to the Federal Food, Drug, and Cosmetic Act. Federal lawmakers included those amendments in their e Consolidated Appropriations Act of 2023, which President Joe Biden signed into law on Dec. 29, 2022.
The act stipulated that the new requirements not go into effect until March 29, 2023, but the FDA said last week that it “generally intends not to issue ‘refuse to accept’ (RTA) decisions for premarket submissions submitted for cyber devices” just because they lack cybersecurity information. Instead, the agency said it will “work collaboratively” with applicants as part of the interactive and/or deficiency review process over the next six months.
“Beginning Oct. 1, 2023, FDA expects that sponsors of such cyber devices will have had sufficient time to prepare premarket submissions that contain information required by section 524B of the FD&C Act, and FDA may RTA premarket submissions that do not,” the FDA said.
The FDA has previously issued guidance on its RTA policy for 510(k)s, PMA acceptance and filing reviews, and de novo request acceptance review.
This post was originally published in April 2023 and updated in October 2023 with a link to the finalized guidance.
