FDA “New” Policy for Medical Devices with Cybersecurity Issues
(Thursday, March 31, 2023)
Medical devices with software that connects to the internet and creates a potentially unaddressed cybersecurity vulnerability will be rejected by the FDA, starting 29 March 2023. The policy, which has been tacitly in effect since 2014 via Guidance Documents, is now being formalized into a Refuse-to-File (RTF) criteria. So, what’s new here? Many medical devices use software that connects to the internet for their functions and maintenance. While such online connection provides increased functionality and convenience, it also creates vulnerability to malicious security breaches potentially impacting the safety of such devices for the patients. While cybersecurity concerns are impossible to eliminate completely, developers are required to address identifiable cybersecurity vulnerabilities and plan for the unexpected or less likely but feasibly scenarios. Since its first guidance on the topic from 2014 and the second one from 2016, FDA has required a cybersecurity plan in all software-containing medical device approval applications. Specifically, developers are required to design, develop and maintain processes to assure cyber-protection of their devices, create a plan to monitor, identify and address new cybersecurity issues related to their devices, and disclose the source of their software such as commercial, open-source or off-the-shelf components. The “not-so-new” policy basically formalizes the previous “informal” policy by creating an RTF criterion. Previously, FDA would raise comments about the application during the review process, now it would reject applications that don’t contain suitable cybersecurity elements. The policy does not apply retroactively; previously approved devices can stay in the market and will only need to follow the new requirements if they make changes to their device that require a new market approval application. Also, for the first 6 months, till 1 October 2023, FDA promised to not apply the new RTF policy strictly, but that it would allow applicants to revise the cybersecurity related portions of their application during the review period.
Dr. Mukesh Kumar
Founder & CEO, FDAMap
Linkedin: Mukesh Kumar, PhD, RAC