Food and Drug Administration Announced March 29 Starting October 1, it will begin to “refuse to accept” medical devices and related systems for cybersecurity reasons. All new device submissions must include a detailed cybersecurity plan beginning March 29.
As such, device makers must submit plans to monitor, identify, and address post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosures and plans, in a “reasonable timeframe.” there is.
Developer will design and maintain procedures capable of demonstrating with reasonable assurance that “devices and related systems are cyber-secured,” and “on reasonably justified regular cycles, An unacceptable vulnerability according to known guidance.
Manufacturers should also disclose “major vulnerabilities that could pose uncontrollable risks” as soon as possible if discovered out of cycle.
Submissions must also include a bill of materials for the software. This must include all commercial, open source, and off-the-shelf software components to demonstrate reasonable assurance that the device and related systems are cybersecured, while complying with other FDA requirements. there is. “
These plans come as no surprise to device makers, as they were among the new powers granted by the Consolidated Appropriations Act of 2023, which was signed into law on December 29.
The act creates a “long-desired FDA agency” excluded from previous resolutions and includes the premarket submission requirements proposed by the Protect and Transform Cyber Healthcare (PATCH) Act.
The December adoption garnered overwhelming support from medical practitioners who have long sought federal assistance to reduce the systemic challenge of protecting medical devices. Organizations that provide healthcare have long had a responsibility to protect a vast and complex device ecosystem.
The December omnibus included a statement calling for the FDA to implement the measures announced on March 29 within 90 days of enactment. The final guidance, titled “Medical Device Cybersecurity: Rejecting Policy Acceptance for Cyber Devices and Related Systems,” includes all requirements for new submissions.
The new cybersecurity requirements do not apply to applications or submissions submitted to FDA before March 29. Additionally, “refuse” decisions on premarket submissions based solely on cyber reasons will not take effect until October 1.
Rather, FDA says it intends to “work with sponsors of such premarket submissions as part of an interactive and/or defect review process.” The agency expects cyber device sponsors to “have sufficient time to prepare their premarket submissions” in order to include cyber requirements in the final guidance.
“The FDA may also refuse to accept unapproved premarket submissions,” the notice said. Medical Devices include “software verified, installed or approved by the Sponsor” that is capable of connecting to the Internet and contains verified, installed or approved technical features that may be vulnerable to cybersecurity. are considered “cyber devices”. threat.
The guidance did not undergo the usual public comment period because “prior public participation is not feasible or appropriate.” “While this policy will take effect immediately without prior comment, FDA will consider all comments received and revise the guidance document as necessary,” the official added.