FDA recently published final guidance introducing a new refuse-to-accept policy for cyber devices and related systems under Section 524B of the FD&C Act. This policy outlines the required information manufacturers must include in premarket submissions. While the new requirements are effective immediately, the FDA will use enforcement discretion until October 1, 2023, aligning with the upcoming eSTAR submission implementation date. During this time, the FDA will review premarket submissions for compliance with the new policy, but manufacturers will not be penalized for noncompliance until after the enforcement discretion period.
The four key requirements of the new policy include the following:
- Submission of a plan to monitor, identify, and address post-market cybersecurity vulnerabilities and exploits
- Development and maintenance of processes and procedures to provide reasonable assurance that the device and related systems are cyber secure
- Provision of a software bill of materials, and
- Compliance with other requirements that the FDA may require through regulation to demonstrate reasonable assurance that the device and related systems are cyber secure.
Last April FDA also issued updated draft guidance on cybersecurity for medical device premarket submissions. This guidance, titled "Cybersecurity for Medical Devices: Quality System Considerations and Content of Premarket Submissions," provides recommendations for manufacturers on integrating cybersecurity into their device design and development processes and what information to include in premarket submissions to demonstrate cybersecurity risk management.
Overall, the FDA's recent actions demonstrate a commitment to addressing the growing threat of cyber-attacks on medical devices. By implementing stronger cybersecurity policies and working with industry stakeholders, the FDA is helping to ensure the safety and security of medical devices and ultimately protecting patients from harm.
Qserve regularly works with manufacturers to identify and mitigate cybersecurity risks according to FDA guidance and expectations.
You can access the full guidance document here: Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act | FDA