The U.S. Food and Drug Administration (FDA or the Agency) published guidance regarding cybersecurity requirements for certain device premarket submissions (the Guidance).[1] The Guidance outlines the implementation of new Section 524B of the Federal Food, Drug, and Cosmetic Act (FDCA), which requires that manufacturers submitting premarket submissions for cyber devices meet specific cybersecurity requirements.[2] In addition to issuing the Guidance, FDA also published FAQs related to cybersecurity in medical devices.[3]

“Cyber Devices”

The new cybersecurity requirements apply to medical device manufacturers submitting premarket submissions[4] for products that meet the definition of a “cyber device” under Section 524B(c). A cyber device is defined as a device that: (1) includes software validated, installed, or authorized by the sponsor as a device or in a device; (2) can connect to the Internet; and (3) contains technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.

The Cybersecurity Requirements

Under Section 524B(b), manufacturers submitting premarket applications for cyber devices must:

• Submit a plan to monitor, identify, and address post-market cybersecurity vulnerabilities and exploits;
• Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure;
• Make available post-market updates and patches to the device and related systems to address known unacceptable vulnerabilities and critical vulnerabilities that could cause uncontrolled risks; and
• Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components.

Temporary Enforcement Discretion

For cyber device premarket submissions submitted before October 1, 2023, FDA generally intends not to issue “refuse to accept” (RTA) decisions based solely on non-compliance with the requirements of Section 524B. Rather, FDA intends to work with manufacturers collaboratively as part of the submission review process. After October 1, 2023, however, FDA may RTA premarket submissions for cyber devices that do not meet the Section 524B requirements.

***

Nelson Mullins continues to closely monitor developments regarding cybersecurity and FDA’s regulation of medical devices.

Paul Clowes, law clerk in the Greenville office, contributed to the drafting of this post.

[1] Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act, FDA (Mar. 30, 2023).

[2] Section 524B became effective March 29, 2023. Congress added Section 524B to the FDCA through the Consolidated Appropriations Act, 2023, 117th Cong., H.R. 2617, § 3305 (“Ensuring Cybersecurity of Medical Devices”) (2022).

[3] Cybersecurity in Medical Devices Frequently Asked Questions (FAQs), FDA (Mar. 29, 2023).

[4] Under Section 524B(a), the cybersecurity requirements apply to device manufacturers submitting premarket applications for cyber devices, including: premarket approval applications (PMAs), 510(k) notifications, Product Development Protocols (PDPs), De Novo submissions, and Humanitarian Device Exemption submissions (HDEs).