FDA Cyber Device Guidance — The more you know…

Topics:
No items found.
All authors
All authors

April 5, 2023

FDA Cyber Device Guidance — The more you know…

Starting October 1st 2023, the FDA will begin to reject submissions that don’t detail cybersecurity measures including, for example, plans for how to to address postmarket vulnerabilities, a strategy for disclosure of vulnerabilities, and a software bill of materials (SBOM) in accordance with section 524B of the Food, Drug and Cosmetic (FD&C) Act. The Refuse to Accept (RTA) guidance is consistent with the FDA’s plan to further provide public information regarding improving cybersecurity of devices. It ensures medical device manufacturers (MDMs) understand the FDA’s expectations while giving them 6 months to prepare and implement. During this 6 month period, the FDA will not reject submissions but will work in a collaborative fashion with medical device manufacturers to resolve any outstanding issues relating to premarket submissions through interactive review.

Historically, devices have received Refuse to Accept (RTA) notices for cybersecurity for egregious mistakes only (e.g.,failure to identify connectivity/interoperability, failure to meet special controls where applicable). While MDMs have been expected to play a larger role in securing their devices for some time, it’s now really important that MDMs realize the FDA is moving forward with their authority under the amendment of the FD&C Act.

The RTA guidance cites the specific amendment to the Act in Section 524B to provide MDMs with clarity on what aspects of cybersecurity are expected for submissions relating to “cyber devices” and provides a timeline for manufacturers to recognize what they need to do (review the new section of the Act, check their documentation against the new requirements, adjust content of submissions as needed). It is also consistent with the Postmarket Management of Cybersecurity in Medical Devices guidance the FDA issued in 2016. The RTA policy will reduce incomplete submissions coming in for review and will allow reviewers to focus on submissions that are not missing significant portions of their expected content. The onus is now on the manufacturer to ensure inclusion of this critical information that ensures the security, safety and effectiveness of devices.

Follow MedCrypt on LinkedIn and Twitter and subscribe to our newsletter to stay up to date on the latest news in medical device cybersecurity.

Related articles

The Evolution of Cybersecurity in the Medical Field and the Importance of Information Sharing and Analysis Organizations (ISAOs)
This is some text inside of a div block.

The Evolution of Cybersecurity in the Medical Field and the Importance of Information Sharing and Analysis Organizations (ISAOs)

Company
This is some text inside of a div block.
Thought leadership
This is some text inside of a div block.

July 23, 2024

Navigating FDA Regulations and the Role of ISAOs in Medical Device Cybersecurity
This is some text inside of a div block.

Navigating FDA Regulations and the Role of ISAOs in Medical Device Cybersecurity

Thought leadership
This is some text inside of a div block.
Company
This is some text inside of a div block.

July 15, 2024

Subscribe to Medcrypt news

Get the latest healthcare cybersecurity news right in your inbox.

We'll never spam you or sell your information

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.