Regular readers of our Mintz Viewpoints will likely remember that the Consolidated Appropriations Act for 2023, signed into law by President Biden on December 29, 2022, included as one of its many titles the Food and Drug Omnibus Reform Act, or FDORA. These amendments provided the Food and Drug Administration (FDA) with several important new powers and mandates from Congress, many of which we summarized in a previous blog post.
One of these new FDORA requirements is that developers of “cyber devices” design and implement plans to “monitor, identify and address” cybersecurity vulnerabilities of marketed devices and to submit those plans to FDA as part of every new product application for a cyber device. The amended law defines a “cyber device” as one that includes software, connects to the internet, and contains any technological features that could be vulnerable to cybersecurity threats.
On March 29, 2023 – 90 days after enactment of the FDORA amendments, when these new provisions related to cyber devices technically went into effect – the agency released guidance for industry describing how it intends to implement and enforce them. In particular, FDA states that after October 1, 2023, it will issue a “refuse to accept” (RTA) decision for any cyber device premarket submission that does not include the required information, but that it intends to work collaboratively with product developers rather than rejecting deficient applications between now and October. To further advance its collaboration and education goals, the agency also created a new “FAQ” webpage focused on the topic of cybersecurity in medical devices (available here).
Although the FDORA amendments have ushered in a more modern-day system in which sponsors of cyber device marketing applications will proactively provide their cybersecurity plans to the agency, the risks posed by such products are certainly not new and FDA has been encouraging device developers to consider such risks voluntarily for many years. Substantive advice for developers on how to identify cyber risks, as well as design and maintain controls to protect the integrity of their devices, can be found in the 2014 guidance Content of Premarket Submissions for Management of Cybersecurity in Medical Devices and the 2016 guidance Postmarket Management of Cybersecurity in Medical Devices. Additional cybersecurity guidance for industry is in development by FDA according to the planned activities for the Device Center during fiscal year 2023.
Notwithstanding the 6-month grace period being offered by FDA to developers of cyber devices, companies should ensure they are actively considering cybersecurity planning during the design and validation of their products today. The recent changes to the law also make the failure to comply with such requirements a prohibited act under the Federal Food, Drug, and Cosmetic Act (FD&C Act), which could create the potential for future enforcement action. In addition, with the foreseeable risk that poor cyber hygiene can pose to a connected device, design failures or other product defect lawsuits are almost certain to follow this recent change in the FD&C Act framework.