The FDA in the US has announced that medical device manufacturers will now have to comply with certain cybersecurity standards when submitting a new product application.
The FDA has issued guidance requiring medical device makers to provide specific cybersecurity-related information when submitting a new product application. This includes a description of a plan for identifying and addressing vulnerabilities and exploits in a reasonable time, processes and procedures for releasing postmarket updates and patches, and a software bill of materials (SBOM) for commercial, open source and off-the-shelf components. The requirements apply to cyber devices — any device that runs software, has the ability to connect to the internet, and could be vulnerable to cyber threats.
The FDA notes that these requirements do not apply to submissions prior to March 29, 2023, and the agency will not reject applications solely on this requirement until October 1 — it will provide assistance to companies until that date. Companies must meet the requirements starting October 1, or else the FDA may reject their premarket submissions.
The FDA has also published an FAQ page with additional clarifications and links to useful resources. The US Cybersecurity and Infrastructure Security Agency (CISA) has been publishing advisories that describe vulnerabilities in medical devices, while the FBI issued a notification last year warning healthcare facilities of the risks associated with unpatched and outdated medical devices.
In light of the increasing cyber threats to medical devices, the US Food and Drug Administration (FDA) has issued guidance requiring medical device makers to submit specific cybersecurity-related information when applying for a new product. This includes a description of a plan for identifying and addressing vulnerabilities and exploits, processes and procedures for releasing postmarket updates and patches, and a software bill of materials (SBOM). Companies must meet these requirements starting October 1, 2023, or else the FDA may reject their premarket submissions. The FDA has provided an FAQ page with additional clarifications and links to useful resources.
Key Points:
- The US Food and Drug Administration (FDA) has issued guidance requiring medical device makers to submit specific cybersecurity-related information when applying for a new product.
- This includes a description of a plan for identifying and addressing vulnerabilities and exploits, processes and procedures for releasing postmarket updates and patches, and a software bill of materials (SBOM).
- Companies must meet these requirements starting October 1, 2023, or else the FDA may reject their premarket submissions.
- The FDA has provided an FAQ page with additional clarifications and links to useful resources.