FDA to Refuse Medical Device Submissions For Cybersecurity Reasons Beginning in October

March 30, 2023 - Effective immediately, the US Food and Drug Administration (FDA) will require medical device manufacturers to provide cybersecurity information in their premarket device submissions. Additionally, beginning October 1, the FDA will exercise its authority to refuse submissions for cybersecurity reasons.

The industry has been expecting these developments since late December 2022, when the Consolidated Appropriations Act, 2023 (Omnibus) was signed into law. As previously reported, section 3305 of the Omnibus amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) to include key medical device security provisions.

Section 3305 included language requiring medical device manufacturers to ensure that their devices meet select cybersecurity requirements at the premarket stage. This language was also a key component of the previously introduced Protecting and Transforming Cyber Health Care (PATCH) Act, which was met with significant support from industry groups at the time.

For any submission after March 29, manufacturers must include a “plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures,” the FDA stated.

In addition, manufacturers must develop and maintain procedures that provide a reasonable assurance that the device and systems are cybersecure and incorporate plans to patch and update the device and related systems at the postmarket stage.

Lastly, manufacturers are required to provide a software bill of materials (SBOM) for their devices, including commercial, open-source, and off-the-shelf software components. The FDA issued an accompanying FAQ document to help manufacturers determine their obligations.

Although these requirements have already taken effect, the FDA will wait until October 1 to exercise its “Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act.”

“Beginning October 1, 2023, FDA expects that sponsors of cyber devices will have had sufficient time to prepare premarket submissions that contain information required by section 524B of the FD&C Act, and FDA may [refuse to accept] premarket submissions that do not,” the FDA stated.

These cybersecurity requirements will not apply to devices retroactively. However, if a cyber device was previously authorized and the manufacturer aims to make further changes warranting a premarket review, the law would apply for the updated premarket submission.

As healthcare organizations continue to prioritize medical device security, the new premarket requirements will ideally help the industry to better manage risk collaboratively.