FDA Updates Cybersecurity Guidance

June 1, 2023 | Matthew Ruth and Philip M. Nelson

(May 30, 2023) Going forward, medical device approval will require the device maker to provide cybersecurity information to the FDA. Congress made this change by adding Section 524B to the Federal Food, Drug, and Cosmetic Act (FD&C Act) at the end of 2022, addressing concerns over the cybersecurity of medical devices. Risks from cybersecurity incidents involving medical devices may include “Health Insurance Portability and Accountability Act (HIPAA) violations, improper patient health assessments, miscalculated medication dosages, and other potentially fatal outcomes,” according to Lifesciences Intelligence.

The Food and Drug Administration (FDA) summarizes the rationale for this change as follows:

Medical devices are increasingly connected to the Internet, hospital networks, and other medical devices to provide features that improve health care and increase the ability of health care providers to treat patients. These same features also increase potential cybersecurity risks. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.

The FDA provides further information on cybersecurity at this website.

To implement the new law, the FDA on March 29, 2023 issued new guidance about a transition period: until October 1, 2023, omission of cybersecurity details (now required by Section 524B) will not result in an immediate “refusal to accept” a new FDA submission. The FDA instead intends to work collaboratively with applicants as part of the interactive and/or deficiency review process. The FDA’s new guidance applies to “a person who submits a premarket application or submission – including 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE) — for a . . . cyber device.”

The statute essentially defines “cyber device” as a device that: (1) includes pre-installed or official software; (2) can connect to the internet; and (3) includes pre-installed or official technological characteristics that could be vulnerable to cybersecurity threats.

Guidance for health care providers is available in updated answers to Frequently Asked Questions.

Matthew Ruth

By Matthew Ruth (May 30, 2023) Going forward, medical device approval will require the device maker to provide cybersecurity information to the FDA. Congress made this change by adding Section 524B...

View all posts published by Matthew Ruth

Philip M. Nelson

View all posts published by Philip M. Nelson

By using this blog, you agree and understand that no information is being provided in the context of any attorney-client relationship. You further agree and understand that nothing herein is intended to be legal advice. This blog is solely informational in nature, and is not intended as, and should not be used as, a substitute for competent legal advice from a retained and licensed attorney in your state. Knobbe Martens LLP makes no representations or warranties as to the accuracy, completeness, timeliness or availability of the information in this blog. Knobbe Martens LLP will not be liable for any injury or damages relating to your use of, or access to, any such information. Knobbe Martens LLP undertakes no obligation to correct or update information on this blog, which may be incorrect or become incorrect or out of date over time. Knobbe Martens LLP reserves the right to alter or delete content or information on the blog at any time. This blog contains links and references to other websites and publications that you may find of interest. Knobbe Martens LLP does not control, promote, endorse or otherwise have any affiliation with any other websites or publications unless those websites or publications expressly state such an affiliation. Knobbe Martens LLP further has no responsibility for, and makes no representations regarding, the content, accuracy or any other aspect of the information in such websites or publications.

KnobbeMedical.com