On March 29, 2023, Section 3305 of the Consolidated Appropriations Act of 2023, Ensuring Cybersecurity of Medical Devices, (“Section 3305”) became effective. It addresses the growing cybersecurity threats within the medical device industry. Section 3305, which amends the Federal Food, Drug, and Cosmetic Act (“FD&C”) by adding Section 524B, authorizes the FDA to establish, implement, and enforce enhanced cybersecurity standards for medical devices.
The new guidance applies to any medical device determined to be a “cyber device” which is defined as a device that: (1) Includes software that is validated, installed, or authorized by the sponsor as a device or in a device; (2) Has the ability to connect to the internet; and (3) Contains any technological characteristics that could be vulnerable to cybersecurity threats. The new standards, which went into effect on March 29, 2023, mandate manufacturers of “cyber devices” to comply with the following requirements:
- Submit to the FDA, as part of their premarket applications (i.e. 510(k), PMA, De Novo, etc.), a detailed plan to identify, monitor, and address post-market cybersecurity vulnerabilities associated with the device including coordinated vulnerability disclosures and related procedures;
- Design, develop, and maintain processes and procedures to provide reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems; and
- Provide a software bill of materials (SBOM), including commercial, open-source, and off-the-shelf software components.
The FDA may also issue regulations with other requirements to demonstrate reasonable assurance that the device and related systems are cybersecure.
In addition, it is important to note that the FDA issued supplemental guidance in March 2023 which stipulates that the FDA generally intends not to issue “refuse to accept” decisions based solely on these new cybersecurity rules before October 1, 2023, and will instead collaborate with sponsors of premarket submissions as part of the interactive and/or deficiency review process. However, beginning October 1, 2023, the FDA has made it clear that it expects sponsors will have had adequate time to address the new requirements and therefore “refuse to accept” decisions may be issued for noncompliance.
In order to assist manufacturers with implementation of these new requirements, the FDA cites various resources such as:
- The 2014 guidance "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" and the 2016 guidance "Postmarket Management of Cybersecurity in Medical Devices"
- The October 2021 National Telecommunications and Information Administration (NTIA) Multistakeholder Process on Software Component Transparency document "Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)."
Are you interested in learning more?
