On 29 March 2023 the Consolidated Appropriations Act of 2023 went into effect, and among its provisions was an update to the FDA’s authority concerning postmarket cybersecurity in medical devices. The relevant section, which begins on page 1, 374 of the bill, increases the authority the FDA has to refuse approval of medical devices that fail to meet certain cybersecurity planning requirements. Medical device manufacturers must do the following to the FDA’s satisfaction:
- submit a plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
- design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure;
- make available postmarket updates and patches to the device and related systems to address known unacceptable and critical vulnerabilities;
- provide a software bill of materials, including commercial, open-source, and off-the-shelf software components; and
- comply with “such other requirements as the Secretary may require” through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.
Previously, the requirements were “guidelines,” which left the FDA with no authority to deny approval for medical devices that failed to provide documentation of their postmarket cybersecurity plan. The shift of the language to “requirements” expands the FDA’s authority. After a 90 day grace period, the FDA will begin denying approval for medical devices that do not satisfy these requirements for managing postmarket cybersecurity. The FDA’s official notice can be found here, and includes a link to the Act.