A “cyber device” is a device that (1) includes software validated, installed, or authorized by the sponsor as a device or in a device, (2) has the ability to connect to the internet, and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats.
The Omnibus Act, signed into law on December 29, 2022, added section 524B, Ensuring Cybersecurity of Devices, to the Federal Food, Drug, and Cosmetic Act (FD&C Act) under section 3305. The amendments became effective on March 29, 2023, 90 days after the enactment of the Omnibus. The cybersecurity requirements outlined in the Omnibus do not apply to any submissions made to the FDA prior to March 29, 2023.
Under section 524B(a) of the FD&C Act, a person who submits a premarket application or submission – including 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE) — for a device that meets the definition of a cyber device, as defined under section 524B(c), is required to submit information to ensure that cyber devices meet the cybersecurity requirements under section 524B(b).
It is important to note the guidance contains nonbinding recommendations and the use of the word “should” means that something is suggested or recommended but not required.
Section 524B of the FD&C Act mandates that the sponsor of a premarket submission for a cyber device must submit a plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits. The plan must include coordinated vulnerability disclosure and related procedures. The sponsor must also design, develop, and maintain processes and procedures to ensure that the device and related systems are cybersecure.
Sponsors must also make postmarket updates and patches available to the device and related systems to address known vulnerabilities:
- On a reasonably justified regular cycle, known unacceptable vulnerabilities.
- As soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks.
Furthermore, the sponsor of a premarket submission for a cyber device must provide a software bill of materials, including commercial, open-source, and off-the-shelf software components. Additionally, they must comply with any other cybersecurity requirements that the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.
While the new cybersecurity requirements took effect March 29, 2023, the FDA has stated that it will generally not issue “refuse to accept” (RTA) decisions based solely on information required by section 524B of the FD&C Act for premarket submissions submitted before October 1, 2023. However, beginning October 1, 2023, the FDA expects that sponsors of cyber devices will have had sufficient time to prepare premarket submissions that contain information required by section 524B of the FD&C Act, and FDA may RTA premarket submissions that do not.
Overall, the new cybersecurity provisions are an important step towards ensuring patient safety and cybersecurity in medical devices. Sponsors of premarket submissions for cyber devices must be aware of these new requirements and take necessary steps to comply with them to ensure their devices are cybersecure.
Look for MEDIcept’s upcoming White Paper that will go into more depth on this FDA new policy as well as comparing some new EU cybersecurity policies!
Trevor Klemann – Associate Medical Device Consultant