FDA Updates Cybersecurity Guidance

| Matthew RuthPhilip M. Nelson

Going forward, medical device approval will require the device maker to provide cybersecurity information to the FDA.  Congress made this change by adding Section 524B to the Federal Food, Drug, and Cosmetic Act (FD&C Act) at the end of 2022, addressing concerns over the cybersecurity of medical devices. Risks from cybersecurity incidents involving medical devices may include “Health Insurance Portability and Accountability Act (HIPAA) violations, improper patient health assessments, miscalculated medication dosages, and other potentially fatal outcomes,” according to Lifesciences Intelligence.

The Food and Drug Administration (FDA) summarizes the rationale for this change as follows:

pic 1


The FDA provides further information on cybersecurity at this website.

To implement the new law, the FDA on March 29, 2023 issued new guidance about a transition period: until October 1, 2023, omission of cybersecurity details (now required by Section 524B) will not result in an immediate “refusal to accept” a new FDA submission.  The FDA instead intends to work collaboratively with applicants as part of the interactive and/or deficiency review process.  The FDA’s new guidance applies to “a person who submits a premarket application or submission – including 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE) — for a . . . cyber device.”

The statute essentially defines “cyber device” as a device that: (1) includes pre-installed or official software; (2) can connect to the internet; and (3) includes pre-installed or official technological characteristics that could be vulnerable to cybersecurity threats.

Guidance for health care providers is available in updated answers to Frequently Asked Questions.