Starting October 1st 2023, the FDA will begin to reject submissions that don’t detail cybersecurity measures including, for example, plans for how to to address postmarket vulnerabilities, a strategy for disclosure of vulnerabilities, and a software bill of materials (SBOM) in accordance with section 524B of the Food, Drug and Cosmetic (FD&C) Act. The Refuse to Accept (RTA) guidance is consistent with the FDA’s plan to further provide public information regarding improving cybersecurity of devices. It ensures medical device manufacturers (MDMs) understand the FDA’s expectations while giving them 6 months to prepare and implement. During this 6 month period, the FDA will not reject submissions but will work in a collaborative fashion with medical device manufacturers to resolve any outstanding issues relating to premarket submissions through interactive review.
Historically, devices have received Refuse to Accept (RTA) notices for cybersecurity for egregious mistakes only (e.g.,failure to identify connectivity/interoperability, failure to meet special controls where applicable). While MDMs have been expected to play a larger role in securing their devices for some time, it’s now really important that MDMs realize the FDA is moving forward with their authority under the amendment of the FD&C Act.
The RTA guidance cites the specific amendment to the Act in Section 524B to provide MDMs with clarity on what aspects of cybersecurity are expected for submissions relating to “cyber devices” and provides a timeline for manufacturers to recognize what they need to do (review the new section of the Act, check their documentation against the new requirements, adjust content of submissions as needed). It is also consistent with the Postmarket Management of Cybersecurity in Medical Devices guidance the FDA issued in 2016. The RTA policy will reduce incomplete submissions coming in for review and will allow reviewers to focus on submissions that are not missing significant portions of their expected content. The onus is now on the manufacturer to ensure inclusion of this critical information that ensures the security, safety and effectiveness of devices.
Follow MedCrypt on LinkedIn and Twitter and subscribe to our newsletter to stay up to date on the latest news in medical device cybersecurity.