On December 29, 2022, President Biden signed into law the Omnibus Appropriations Act. Section 3305, titled ENSURING CYBERSECURITY OF MEDICAL DEVICES, provides the FDA with the formal authority to require manufacturers to take cybersecurity protection measures. In the past, the FDA could only provide non-binding guidance to manufacturers for their pre-market submissions.
The act has 3 specific requirements for pre-market submissions for internet-connected medical devices (called “cyber devices”):
(1) submit ... a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
(2) design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address
--(A) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and
--(B) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;
(3) provide ... a software bill of materials, including commercial, open-source, and off-the-shelf software components
Per the act, other requirements to demonstrate reasonable assurance that the device and related systems are cybersecure may also be enacted.
So what does this mean for medical device manufacturers? Securing medical devices is not new, nor was it optional for FDA submissions. The first pre- and postmarket guidances were released in 2014 and 2016 respectively. A new draft guidance was published in 2022 (following the previous 2018 draft, which was never released. We have seen an emphasis on cybersecurity grow over the years, both in pre-sub discussions and in 510k/PMA submission responses, particularly for higher risk devices like infusion pumps and other Class III devices. At Promenade Software, we have been including Cybersecurity controls and associated documentation for our clients for several years. We have also helped scores of clients with their submission materials, penetration testing, and SBOM creation.
It is yet to be seen what the formal authority provided in this act will mean, but clearly security for medical devices continues to grow in priority for the agency, and the manufacturers will need to comply. Just now, as this blog is being published, the FDA issued a guidance outlining that it plans to "Refuse to Accept" 510k submissions that do not meet the above requirements. This will go into effect October 1, 2023. Stay tuned!