FDA Updates Cybersecurity Guidance

Philip Nelson, Matthew Ruth
Knobbe Martens
Contact
LinkedIn
Facebook
X
Send
Embed

Knobbe Martens

(May 30, 2023) Going forward, medical device approval will require the device maker to provide cybersecurity information to the FDA.  Congress made this change by adding Section 524B to the Federal Food, Drug, and Cosmetic Act (FD&C Act) at the end of 2022, addressing concerns over the cybersecurity of medical devices. Risks from cybersecurity incidents involving medical devices may include “Health Insurance Portability and Accountability Act (HIPAA) violations, improper patient health assessments, miscalculated medication dosages, and other potentially fatal outcomes,” according to Lifesciences Intelligence.

The Food and Drug Administration (FDA) summarizes the rationale for this change as follows:

Medical devices are increasingly connected to the Internet, hospital networks, and other medical devices to provide features that improve health care and increase the ability of health care providers to treat patients. These same features also increase potential cybersecurity risks. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.

The FDA provides further information on cybersecurity at this website.

To implement the new law, the FDA on March 29, 2023 issued new guidance about a transition period: until October 1, 2023, omission of cybersecurity details (now required by Section 524B) will not result in an immediate “refusal to accept” a new FDA submission.  The FDA instead intends to work collaboratively with applicants as part of the interactive and/or deficiency review process.  The FDA’s new guidance applies to “a person who submits a premarket application or submission – including 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE) — for a . . . cyber device.”

The statute essentially defines “cyber device” as a device that: (1) includes pre-installed or official software; (2) can connect to the internet; and (3) includes pre-installed or official technological characteristics that could be vulnerable to cybersecurity threats.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Knobbe Martens | Attorney Advertising

Written by:

Knobbe Martens
Knobbe Martens
Contact
more
less

Knobbe Martens on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide