Understand new FDA cybersecurity requirements for cyber devices
Last updated
Last updated
© Copyright MedCrypt 2024, All rights reserved.
Note: As of this update on Nov 1, 2023, these are the current FDA requirements. You should check FDA resources for the most current information.
The Consolidated Appropriations Act for 2023 was signed into law December 29, 2022 and includes the Food and Drug Omnibus Reform Act (FDORA), also known as Omnibus. Section 3305 of Omnibus - Ensuring Cybersecurity of Medical Devices amended the FD&C Act by adding a new section, 524B(c).
The Omnibus Act finalized guidance on reasonable patch and update cycles and moving medical devices towards being "secure by design" throughout the device lifecycle. To learn more about the specifics, refer to the below page.
The new section 524B(c) of the FD&C Act - Ensuring Cybersecurity of Devices defines a cyber device as a device that:
Includes software validated, installed, or authorized by the sponsor as a device or in a device;
Has the ability to connect to the internet; and
Contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.
This applies to prospective submissions for “cyber devices” under the 510(k), de novo, HDE, PDP, PMA, HDE, and IDE pathways.
It is effective 90 days after signing, or March 29, 2023. Check the FDA medical device cybersecurity FAQS for more information.
Section 524B(a) requires that a sponsor of an application of the submission types above provide the requisite documentation detailed in section 524B(b).
Section 524B(b) requires manufacturers of cyber devices to:
Submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address –
On a reasonably justified regular cycle, known acceptable vulnerabilities; and
As soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;
Provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components; and
Comply with other such requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.