FDA’s New Guidance on Cybersecurity for Medical Devices

Washington, D.C. – The U.S. Food and Drug Administration (FDA) has announced new guidance concerning cybersecurity in medical devices. The document, titled “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act,” provides critical information for the medical device industry and outlines the FDA’s approach to ensuring cybersecurity in medical devices. In this article, we provide an overview of the new guidance and its potential impact.

Background and Overview of the New Guidance

On December 29, 2022, the Consolidated Appropriations Act of 2023, commonly referred to as the “Omnibus,” was signed into law. One critical component of the Omnibus was Section 3305, titled “Ensuring Cybersecurity of Medical Devices,” which amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding Section 524B. This section provides provisions to ensure cybersecurity in medical devices. The Omnibus stipulates that the cybersecurity amendments to the FD&C Act will take effect 90 days after the law’s enactment, on March 29, 2023. The FDA has made it clear that the new cybersecurity requirements do not apply retroactively to applications or submissions submitted to the FDA before March 29, 2023.

The FDA’s Approach to Cybersecurity in Medical Devices

As part of the new guidance, the FDA has outlined its approach to reviewing premarket submissions for cyber devices, which are medical devices with software components or connectivity features that could be vulnerable to cybersecurity threats.

Starting October 1, 2023, the FDA may issue “refuse to accept” (RTA) decisions for premarket submissions of cyber devices if they do not contain the required cybersecurity information as specified under Section 524B of the FD&C Act. However, before that date, the FDA intends to work collaboratively with sponsors of premarket submissions through an interactive and deficiency review process. This collaborative approach is designed to ensure that sponsors have sufficient time to prepare submissions that meet the new cybersecurity requirements.

Notably, the guidance is being implemented immediately without a prior public comment period. The FDA has determined that prior public participation is not feasible or appropriate due to the 90-day statutory timeframe for Section 524B’s effective date. Despite this, the FDA will consider comments received and may revise the guidance document accordingly.

Implications for the Medical Device Industry

The new guidance underscores the FDA’s commitment to ensuring that medical devices are secure and resistant to cyber threats. It places the onus on manufacturers to demonstrate their adherence to cybersecurity best practices in their premarket submissions.

Medical device manufacturers should review the new guidance carefully and ensure that their premarket submissions include detailed information regarding their device’s cybersecurity measures. A comprehensive approach to cybersecurity is essential, as vulnerabilities in medical devices can have serious consequences for patient safety and privacy.

Manufacturers that fail to comply with the FDA’s new cybersecurity requirements may face RTA decisions starting October 1, 2023. As such, it is crucial for manufacturers to prepare and align their submissions with the FDA’s guidance and requirements. The healthcare industry has been slow to adopt cybersecurity measures, and the FDA’s new policy is a step towards addressing the issue. The rise of connected medical devices has created new risks and challenges for the healthcare industry, and it’s crucial that these devices are secure to protect patient data and privacy.