FDA Cyber Device Guidance — The more you know…

Topics:
No items found.
All authors
All authors

April 5, 2023

FDA Cyber Device Guidance — The more you know…

Starting October 1st 2023, the FDA will begin to reject submissions that don’t detail cybersecurity measures including, for example, plans for how to to address postmarket vulnerabilities, a strategy for disclosure of vulnerabilities, and a software bill of materials (SBOM) in accordance with section 524B of the Food, Drug and Cosmetic (FD&C) Act. The Refuse to Accept (RTA) guidance is consistent with the FDA’s plan to further provide public information regarding improving cybersecurity of devices. It ensures medical device manufacturers (MDMs) understand the FDA’s expectations while giving them 6 months to prepare and implement. During this 6 month period, the FDA will not reject submissions but will work in a collaborative fashion with medical device manufacturers to resolve any outstanding issues relating to premarket submissions through interactive review.

Historically, devices have received Refuse to Accept (RTA) notices for cybersecurity for egregious mistakes only (e.g.,failure to identify connectivity/interoperability, failure to meet special controls where applicable). While MDMs have been expected to play a larger role in securing their devices for some time, it’s now really important that MDMs realize the FDA is moving forward with their authority under the amendment of the FD&C Act.

The RTA guidance cites the specific amendment to the Act in Section 524B to provide MDMs with clarity on what aspects of cybersecurity are expected for submissions relating to “cyber devices” and provides a timeline for manufacturers to recognize what they need to do (review the new section of the Act, check their documentation against the new requirements, adjust content of submissions as needed). It is also consistent with the Postmarket Management of Cybersecurity in Medical Devices guidance the FDA issued in 2016. The RTA policy will reduce incomplete submissions coming in for review and will allow reviewers to focus on submissions that are not missing significant portions of their expected content. The onus is now on the manufacturer to ensure inclusion of this critical information that ensures the security, safety and effectiveness of devices.

Follow MedCrypt on LinkedIn and Twitter and subscribe to our newsletter to stay up to date on the latest news in medical device cybersecurity.

Related articles

2024 H-ISAC Fall Summit: Cybersecurity in Healthcare with Medcrypt
This is some text inside of a div block.

2024 H-ISAC Fall Summit: Cybersecurity in Healthcare with Medcrypt

Thought leadership
This is some text inside of a div block.
Company
This is some text inside of a div block.
All authors
All authors

The Overlooked Cyber Threat to Diagnostic Devices: Lessons from Synnovis Cyberattack and Beyond
This is some text inside of a div block.

The Overlooked Cyber Threat to Diagnostic Devices: Lessons from Synnovis Cyberattack and Beyond

Tools & processes
This is some text inside of a div block.
Vulnerability management
This is some text inside of a div block.

December 13, 2024

Navigating the Evolving Landscape of Medical Device Cybersecurity
This is some text inside of a div block.

Navigating the Evolving Landscape of Medical Device Cybersecurity

Thought leadership
This is some text inside of a div block.

December 4, 2024

Subscribe to Medcrypt news

Get the latest healthcare cybersecurity news right in your inbox.

We'll never spam you or sell your information