The Food and Drug Administration announced March 29 that it will begin to “refuse to accept” medical devices and related systems over cybersecurity reasons beginning Oct. 1. All new device submissions must include detailed cybersecurity plans beginning March 29.
As such, device manufacturers will need to submit plans to monitor, identify and address in a "reasonable timeframe" any determined post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosures and plans.
Developers must now design and maintain procedures able to show, with reasonable assurance, “that the device and related systems are cybersecure” and create post-market updates and patches to the device and connected systems that address “on a reasonably justified regular cycle, known unacceptable vulnerabilities,” according to the guidance.
If discovered out-of-cycle, the manufacturer must also make public “critical vulnerabilities that could cause uncontrolled risks,” as soon as possible.
Submissions will also need to include a software bill of materials, which must contain all commercial, open-source, and off-the-shelf software components, while complying with other FDA requirements “to demonstrate reasonable assurance that the device and related systems are cybersecure.”
These plans should come as no surprise to device manufacturers, as they were included in the new authorities granted by the Consolidated Appropriations Act of 2023, which was signed into law on Dec. 29.
The law created “long desired FDA authorities" that were left out of previous resolutions and includes requirements for premarket submissions proposed by the Protecting and Transforming Cyber Health Care (PATCH) Act.
The December inclusion yielded overwhelming support from healthcare stakeholders, who've long requested federal support to curtail systemic challenges with securing medical devices. Healthcare delivery organizations have long borne the onus of securing the vast, complex device ecosystem, and even the most equipped health systems do not fully meet the task.
The December Omnibus included statements that required the FDA to take the actions announced March 29 within 90 days of the law’s passage. The final guidance titled “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems,” includes all requirements for new submissions.
The new cybersecurity requirements don’t apply to applications or submissions submitted to the FDA before March 29. And the “refuse to accept” decisions for premarket submissions based solely on cyber reasons will not go into effect until Oct. 1.
Rather, the FDA says it intends to “work collaboratively with sponsors of such premarket submissions as part of the interactive and/or deficiency review process.” The agency expects that cyber device sponsors “will have had sufficient time to prepare premarket submissions” to include the cyber requirements contained in the finalized guidance.
“And FDA may refuse to accept premarket submissions that do not,” according to its notice. A a medical device is considered a “cyber device” if it includes “software validated, installed, or authorized by the sponsor,” can connect to the internet, and contains any tech characteristics validated, installed, or authorized that could be vulnerable to cybersecurity threats.
The guidance did not go through the typical public comment period, as “prior public participation is not feasible or appropriate.” Officials added that “although this policy is being implemented immediately without prior comment, FDA will consider all comments received and revise the guidance document as appropriate.”