Key Takeaways

• The FDA has issued new guidance to the medical device industry highlighting the critical need for manufacturers to address cybersecurity risks in medical devices before they can be approved for use.
• The guidance specifies the information that should be included in premarket submissions for devices that contain software or firmware, including specific cybersecurity documentation such as hazard analysis, risk assessment and recommended controls to mitigate identified risks.
• The “Refuse to Accept” policy under Section 524B of the FD&C Act is significant because it underscores the importance of cybersecurity in medical devices and highlights the FDA’s commitment to ensuring the safety and security of patients. Manufacturers must prioritize cybersecurity in their product development process and ensure that their devices meet the FDA’s cybersecurity standards to avoid regulatory sanctions, liability for damages and reputational harm.

The U.S. Food and Drug Administration (FDA) has issued new guidance to the medical device industry on the importance of cybersecurity measures in product development. The nonbinding guidance, titled “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices Under Section 524B of the FD&C Act,” stresses the critical need for manufacturers to address cybersecurity risks in medical devices and ensure devices are secure before they can be approved for use.

Section 524B, “Ensuring Cybersecurity of Devices,” was added to the Federal Food, Drug, and Cosmetic Act (FD&C Act) on Dec. 29, 2022, through the Consolidated Appropriations Act, 2023 (Omnibus). As per the Omnibus, the amendments to the FD&C Act would come into effect 90 days after the enactment of the act, which was March 29. The cybersecurity requirements outlined in the amendments will not apply to any application or submission submitted to the FDA before this date, as per the provisions in the Omnibus. The FDA has also extended a grace period through Oct. 1, when it will generally not refuse any premarket submissions from companies that do not adhere to requirements and instead will work with firms to achieve compliance.

The FDA’s guidance is part of a broader effort to reduce the growing risk of cyberthreats in the medical device industry. The agency has been increasingly focused on the cybersecurity of medical devices in recent years, recognizing that as devices become more connected and complex, they are also becoming more vulnerable to cyberattacks.

The new guidance specifies the information that should be included in premarket submissions for devices that contain software or firmware, including specific cybersecurity documentation such as hazard analysis, risk assessment and recommended controls to mitigate identified risks. The guidance also provides details on how the FDA plans to evaluate cybersecurity documentation and what manufacturers can expect during the review process.

As part of the guidance, the FDA also issued a “Refuse to Accept” policy for medical devices under Section 524B of the FD&C Act). Section 524B “Ensuring Cybersecurity of Devices” was added to the FD&C Act on December 29, 2022, through the Consolidated Appropriations Act, 2023 (“Omnibus”). The Refuse to Accept policy outlines the FDA’s expectations for cybersecurity documentation that should be included in premarket submissions. If the documentation does not meet the agency’s standards, the submission will be refused and the review process will not begin.

The Refuse to Accept policy is significant because it underscores the importance of cybersecurity in medical devices and highlights the FDA’s commitment to ensuring the safety and security of patients. Medical device manufacturers must prioritize cybersecurity in their product development process and ensure that their devices meet the FDA’s cybersecurity standards to avoid regulatory sanctions, liability for damages and reputational harm.

The FDA’s guidance and new policies provide a road map for manufacturers to follow to comply with the agency’s expectations for cybersecurity documentation. Failure to meet these expectations could result in delays in the approval process and additional costs for manufacturers.

As the medical device industry continues to evolve, cybersecurity risks will only become more complex and challenging. The FDA’s actions are critical steps toward ensuring that medical devices remain secure and safe for patients. Manufacturers must take necessary steps to comply with the guidance and prioritize cybersecurity in their product development process to avoid regulatory and legal consequences.

Authored by Lee H. Rosebush, Lynn Sessions, Laura E. Macherelli, Eric D. Morris