Majority of the medical devices are connected to the internet and various networks in order to provide better health care. This may expose medical devices and systems to hazardous cyber threats and increase cybersecurity risks. The vulnerabilities may cause the system and devices to function ineffectively.
Hence, The Federal Food, Drug and Cosmetic Act (FD&C Act) was amended with an additional section 524B named, Ensuring Cybersecurity of Devices. This section is bound under Section 3305 of the Consolidated Appropriations Act 2023 (Omnibus), “Ensuring Cybersecurity of Medical Devices”, and lawfully signed on 29 December 2022. The amendment took effect starting on 29 March 2023.
The amended policy requires any application or submission for a device that matches the definition of a cyber device, under Section 510 (k), 513, 515(c), 515(f) or 520 (m), shall provide information to ensure the devices comply with the cybersecurity requirement by FDA. Cyber device defines in the section is a device including software that is being validated, installed or authorized as a device or in the device, able to connect with the internet and provide technological characteristics that are being validated, installed or authorized by the sponsor and possibly be a threat to the cybersecurity.
Below are the cybersecurity requirements that the applicant must provide as it may be requested by FDA:
Submit a complete plan for monitoring, identifying and addressing, in an efficient response time, for any possible post-market cybersecurity vulnerabilities, including the notification and solution procedures.
Provide the software material, including commercial, open-source, off-the-shelf software components.
Any other possible requests from FDA to demonstrate the devices or systems are within secured cybersecurity.
Provide design, develop and maintain processes and procedures for cybersecure assurance of the device and system, provide post-market updates and system patches to notify:
a. Regular cycle justification for any unacceptable vulnerabilities
b. Vulnerabilities that may cause uncontrolled risks
FDA intends to not apply “Refuse To Accept” (RTA) decisions for any cyber devices premarket submissions submitted before 1 October 2023 so that FDA may work together with the sponsors as part of the review process. However, after 1 October 2023, FDA will immediately RTA premarket submissions that do not comply with the FD&C Act as the sponsor is expected to have enough time to prepare the requirement stated above.
Source: FDA
Contact us at info@arqon.com for more information.