Beginning on October 1, the Food and Drug Administration(FDA) will “refuse to accept” medical devices and associated systems due to cybersecurity concerns, according to a March 29 announcement from the agency. Beginning March 29, all new device submissions must have comprehensive cybersecurity plans.
As a result, device manufacturers must submit plans to monitor, identify, and fix any discovered post-market cybersecurity vulnerabilities and exploits in a “reasonable timeframe,” including coordinated vulnerability reports and strategies.
The guidance states that developers must now design and maintain procedures that can demonstrate, with a reasonable degree of assurance, “that the device and related systems are cyber secure,” as well as the device and linked systems’ post-release upgrades and patches that fix “known unacceptable vulnerabilities on a reasonably justified regular cycle.”
A manufacturer must also immediately disclose “major vulnerabilities that could generate uncontrolled risks” to the public if they are found to exist outside of the expected time frame. To meet other FDA requirements “to establish worthy assurance that the device and related systems are cyber secure,” submissions must also provide a software bill of materials, listing any commercial, open-source, and off-the-shelf software components.
The Consolidated Appropriations Act (2023), signed into law on December 29 and granted new powers, includes these proposals, so device manufacturers shouldn’t be surprised.
The statute covers the premarket filing requirements put forward by the Protecting and Transforming Cyber Health Care (PATCH) Act and creates “long needed FDA authorities” that were excluded from earlier resolutions.
Security of the enormous, complex device ecosystem has long been the responsibility of healthcare delivery organizations, but even the best-equipped health institutions must catch up on the challenge. Healthcare stakeholders, who have long demanded federal assistance to reduce systemic problems with protecting medical equipment, overwhelmingly supported the addition in December.
All requirements for new submissions are included in the final guidance, “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems,” and the December Omnibus also contained statements requiring the FDA to take the actions announced on March 29 within 90 days of the law’s passage.
The “refuse to accept” judgments for premarket submissions based purely on cybersecurity considerations will not take effect until October 1; the new cybersecurity standards do not apply to applications or submissions made to the FDA before March 29.
Instead, the FDA says that as part of the interactive and/or deficient review process, it “will work cooperatively with sponsors of such premarket applications.” Sponsors of cyber devices “will have had ample time to prepare premarket submissions,” the association predicts, “and [will have] included the cyber requirements specified in the approved guidance.”
Any piece of medical equipment that can link to the internet has tech features that have been confirmed, installed, or allowed, and has “software validated, installed, or authorised by the sponsor” is considered a “cyber device” and falls within this definition.
According to officials, prior public participation “is neither practical nor acceptable,” Even though this policy is being put into effect immediately without seeking any input, the FDA “will examine all comments received and update the guideline paper as necessary.” The typical period for receiving public comments on the guidelines was skipped.
When applying a new product, the US (FDA) will demand that producers of medical devices adhere to specific cybersecurity criteria. The Federal Food, Drug, and Cosmetic Act was revised by the Consolidated Appropriations Act, which was passed into law in late 2022. A section named “Ensuring Cybersecurity of Medical Devices” is where the new regulations are found, according to guidance provided by the FDA on March 30. (FD&C Act). The FDA states that submissions for new medical devices must include particular cybersecurity-related information, such as a strategy for quickly identifying and resolving vulnerabilities and exploits. Businesses must also detail how they plan to release post-market upgrades and patches that address security risks, including routine updates and out-of-band patches of severe flaws.
A software bill of materials (SBOM) for for-profit, non-profit, and off-the-shelf components must also be included in the data delivered to the FDA. The specifications apply to “cyber devices,” defined as “any device that executes software, has the capability of connecting to the internet, and is potentially exposed to cyberthreats.” The new cybersecurity rules only apply to submissions made before March 29, 2023. The FDA will only accept applications based on the new cybersecurity standards until October 1 and will support businesses until then. Yet as of October 1, the government might start disqualifying premarket filings that exclude the necessary details. The FDA has also released a FAQ website with additional details on the new standards and connections to helpful resources.