On March 29, 2023, and March 30, 2023, the U.S. Food & Drug Administration (“FDA”) issued a series of FAQs[1] and a guidance document[2] clarifying the agency’s intended implementation of the Consolidated Appropriations Act of 2023 (the “Omnibus”), which amended Section 524B of the Food, Drug & Cosmetics Act (the “FD&C Act”) to require the demonstration of cybersecurity safeguards in pre-market submissions for certain medical devices.[3]
Which Submissions Are Subject to the New Cybersecurity Requirements?
“Cyber Devices”
The cybersecurity requirements apply to manufacturers of medical devices[4] that meet the statutory definition of “cyber device,” meaning a device that (i) includes software validated, installed, or authorized by the sponsor as a device or in a device; (ii) has the ability to connect to the internet, including “the cloud” or other shared network; and (iii) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.[5]
All Pre-Market Submissions
The cybersecurity requirements apply to all types of pre-market applications for products that qualify as cyber devices, including (i) pre-market approval applications (“PMA”), (ii) 510(k) notices; (iii) Product Development Protocol (“PDP”), (iv) De Novo submissions, (v) Humanitarian Device Exemption submissions (“HDE”); and (vi) modifications to devices previously granted pre-market clearance.
Enforcement Timeline
Although the plain language of Section 524B imposes the new cybersecurity requirements on manufacturers who submit a pre-market application for a cyber device beginning March 29, 2023, FDA intends to exercise enforcement discretion until October 1, 2023, presumably to give the industry time to adjust. Although FDA has not gone so far as to say that it will completely disregard the requirements until October, the agency has indicated that it will not refuse any pre-market applications solely for failure to include the cybersecurity information required by Section 524B; instead, FDA will collaborate with applicants to obtain the information and continue processing the application.
What Are the New Cybersecurity Requirements?
Per Section 524B and the recent FDA FAQs, manufacturers of cyber devices must demonstrate compliance with each of the following requirements in all pre-market applications submitted after March 29, 2023, for products that qualify as cyber devices:
-
Submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
-
Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available post-market updates and patches to the device and related systems; and
-
Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components.
How Do the New Requirements Fit into the Current Regulatory Scheme?
Before March 30, 2023, the most current guidance issued by FDA on cybersecurity requirements for regulated devices was the draft guidance document titled, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” (the “2022 Guidance”). The 2022 Guidance remains applicable but, per Section 524B, FDA must update it within the next two (2) years to incorporate the new cybersecurity requirements, including the new term, “cyber device.” The 2022 Guidance provides an informative glimpse into FDA’s approach to mitigating cybersecurity risks for the devices it regulates. This insight is especially valuable because the agency has provided only a small amount of alternative guidance in this area, no doubt due to the rapidly evolving nature of cybersecurity threats and the difficulty of implementing regulatory structures that can keep up.
Although, in the 2022 Guidance, FDA states that cybersecurity is a “shared responsibility between stakeholders, including health care facilities, patients, providers, and manufacturers of medical devices,” the lion’s share of the onus for cybersecurity mitigation falls on manufacturers, who are responsible for maintaining both proactive mitigation strategies, such as device design requirements, and reactive mitigation strategies, such as post-market product monitoring. By passing the Omnibus, Congress clearly aligned with FDA’s approach by indicating not only that cybersecurity is a top priority in the medical device space, but also that key safeguards should be implemented proactively, at the manufacturing stage, before a device even enters the market.
Manufacturers of cyber devices can position themselves for success by prioritizing cybersecurity safeguards in device design and development. This will ensure alignment with the expectations of not only FDA, but also cooperative regulatory entities, such as Information Sharing and Analysis Organizations (“ISAOs”) and the Department of Homeland Security (“DHS”),[6] which are expected to enact increased cybersecurity enforcement for medical devices in the coming years.
FOOTNOTES
[1] Cybersecurity in Medical Devices Frequently Asked Questions (FAQs), U.S. Food & Drug Administration (Mar. 29, 2023).
[2] Guidance – Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act, U.S. Food & Drug Administration (Mar. 30, 2023).
[3] See Consolidated Appropriations Act of 2023, 118th Cong., H.R. 2617, § 3305 (2022).
[4] Per FD&C Act, Section 201(h), “device” means an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including any component, part, or accessory, which is—(A) recognized in the official National Formulary, or the United States Pharmacopeia, or any supplement to them, (B) intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or (C) intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of its primary intended purposes. The term ‘‘device’’ does not include software functions excluded pursuant to section 520(o) of the FD&C Act.
[5] See FD&C Act, Section 524B.
[6] See MOU 225-18-028; MOU 225-18-030; MOA: DHS-FDA Medical Device Cybersecurity Collaboration.