FDA Cyber Device Guidance — The more you know…

Topics:
No items found.
All authors
All authors

April 5, 2023

FDA Cyber Device Guidance — The more you know…

Starting October 1st 2023, the FDA will begin to reject submissions that don’t detail cybersecurity measures including, for example, plans for how to to address postmarket vulnerabilities, a strategy for disclosure of vulnerabilities, and a software bill of materials (SBOM) in accordance with section 524B of the Food, Drug and Cosmetic (FD&C) Act. The Refuse to Accept (RTA) guidance is consistent with the FDA’s plan to further provide public information regarding improving cybersecurity of devices. It ensures medical device manufacturers (MDMs) understand the FDA’s expectations while giving them 6 months to prepare and implement. During this 6 month period, the FDA will not reject submissions but will work in a collaborative fashion with medical device manufacturers to resolve any outstanding issues relating to premarket submissions through interactive review.

Historically, devices have received Refuse to Accept (RTA) notices for cybersecurity for egregious mistakes only (e.g.,failure to identify connectivity/interoperability, failure to meet special controls where applicable). While MDMs have been expected to play a larger role in securing their devices for some time, it’s now really important that MDMs realize the FDA is moving forward with their authority under the amendment of the FD&C Act.

The RTA guidance cites the specific amendment to the Act in Section 524B to provide MDMs with clarity on what aspects of cybersecurity are expected for submissions relating to “cyber devices” and provides a timeline for manufacturers to recognize what they need to do (review the new section of the Act, check their documentation against the new requirements, adjust content of submissions as needed). It is also consistent with the Postmarket Management of Cybersecurity in Medical Devices guidance the FDA issued in 2016. The RTA policy will reduce incomplete submissions coming in for review and will allow reviewers to focus on submissions that are not missing significant portions of their expected content. The onus is now on the manufacturer to ensure inclusion of this critical information that ensures the security, safety and effectiveness of devices.

Follow MedCrypt on LinkedIn and Twitter and subscribe to our newsletter to stay up to date on the latest news in medical device cybersecurity.

Related articles

Understanding the Impact of the Pause in NVD Vulnerability Analysis and Exploring New Solutions
This is some text inside of a div block.

Understanding the Impact of the Pause in NVD Vulnerability Analysis and Exploring New Solutions

Tools & processes
This is some text inside of a div block.
Vulnerability management
This is some text inside of a div block.
MedISAO
MedISAO

May 29, 2024

Medical Device Cybersecurity - 2023 Learnings and 2024 Expectations
This is some text inside of a div block.

Medical Device Cybersecurity - 2023 Learnings and 2024 Expectations

All topics
This is some text inside of a div block.
Axel Wirth
Axel Wirth

December 18, 2023

Subscribe to Medcrypt news

Get the latest healthcare cybersecurity news right in your inbox.

We'll never spam you or sell your information

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.