Skip to content

FDA Updates Cybersecurity Guidance


By Matthew Ruth

(May 30, 2023) Going forward, medical device approval will require the device maker to provide cybersecurity information to the FDA.  Congress made this change by adding Section 524B to the Federal Food, Drug, and Cosmetic Act (FD&C Act) at the end of 2022, addressing concerns over the cybersecurity of medical devices. Risks from cybersecurity incidents involving medical devices may include “Health Insurance Portability and Accountability Act (HIPAA) violations, improper patient health assessments, miscalculated medication dosages, and other potentially fatal outcomes,” according to Lifesciences Intelligence.

The Food and Drug Administration (FDA) summarizes the rationale for this change as follows:

Medical devices are increasingly connected to the Internet, hospital networks, and other medical devices to provide features that improve health care and increase the ability of health care providers to treat patients. These same features also increase potential cybersecurity risks. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.

The FDA provides further information on cybersecurity at this website.

To implement the new law, the FDA on March 29, 2023 issued new guidance about a transition period: until October 1, 2023, omission of cybersecurity details (now required by Section 524B) will not result in an immediate “refusal to accept” a new FDA submission.  The FDA instead intends to work collaboratively with applicants as part of the interactive and/or deficiency review process.  The FDA’s new guidance applies to “a person who submits a premarket application or submission – including 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE) — for a . . . cyber device.”

The statute essentially defines “cyber device” as a device that: (1) includes pre-installed or official software; (2) can connect to the internet; and (3) includes pre-installed or official technological characteristics that could be vulnerable to cybersecurity threats.

Guidance for health care providers is available in updated answers to Frequently Asked Questions.





, ,

FDA Updates Cybersecurity Guidance Headshot

Matthew Ruth

Matthew Ruth’s practice focuses on global patent prosecution and intellectual property portfolio management. He is also experienced with issues involving U.S. regulatory governance and antitrust.

Matthew assists clients in a range of technical fields including artificial intelligence, clean energy, electrical engineering, and electromechanical devices.

Matthew received his J.D. from the Sandra Day O’Connor College of Law at Arizona State University, where he worked with the Center for Law, Science, and Innovation on matters relating to the governance of emerging environmental technologies and artificial intelligence. Matthew also served as Senior Executive Editor of Jurimetrics, The Journal of Law, Science and Technology. During law school, Matthew worked with small business clients handling employment and IP contracting through the Innovation Advancement Clinic. He also worked as an advocate for small businesses in Washington D.C. on matters relating to antitrust, data privacy, and patents in the year prior to graduation. Upon graduation, Matthew received the Strouse Prize recognizing his contributions to the Law, Science, and Technology program at Arizona State.

Before attending law school, Matthew worked as an independent consultant specializing in geographic data analysis and interned as a telecommunications engineer.

Matthew joined the firm in 2022.

View all posts published by Matthew Ruth
FDA Updates Cybersecurity Guidance Headshot

Philip Nelson

Philip Nelson counsels clients in all stages of growth, from startups to established public companies. To jump-start young portfolios, Mr. Nelson pioneered use of special programs to cut through red tape for rapid patent allowance. For those wanting to preserve options at minimal cost, he has a tested protocol. He especially enjoys laying sophisticated patent minefields, protecting core assets with an eye to the future concept and product pipeline. No matter when he joins the team, he quickly grasps the technology and points to the best options to support the business.

Mr. Nelson builds value for investment and acquisition by working with company visionaries and scientists to describe and protect their ideas. Although the patent office likes to say “no,” he works through the objections, often speaking to patent examiners in person to negotiate for better claims. Collegial persistence and technical tutorials tend to persuade examiners, getting them to “yes.”

Mr. Nelson drafts and negotiates technology agreements and advises on big-picture strategy. When opposing diligence counsel is just pasting in a pat phrase from a template, he uses his experience from the trenches (prosecuting, negotiating, and litigating) to correct the meaning and serve his clients.

Mr. Nelson advises on contested matters, drafts litigation briefs, and works closely with litigator colleagues. He negotiates with his clients’ adversaries to avoid suit or improve litigation positions. When a competitor claimed to own his client’s invention in chemistry lab instruments, he won two patent office “interferences”—and a Federal Circuit appeal—to preserve his client’s ownership rights. He handles complex patent office trials such as interferences, derivations, and inter-partes reviews. He did reexaminations and inter-partes reexaminations back before they were cool (before the America Invents Act popularized Board proceedings).

His physics background and widely varied experience at a top intellectual property boutique for almost 20 years has created a sophisticated advocate for his clients. Mr. Nelson looks forward to helping you assess the field, build your defenses, close your deal, and rain fire on your IP problems and adversaries.

View all posts published by Philip Nelson
By using this blog, you agree and understand that no information is being provided in the context of any attorney-client relationship. You further agree and understand that nothing herein is intended to be legal advice. This blog is solely informational in nature, and is not intended as, and should not be used as, a substitute for competent legal advice from a retained and licensed attorney in your state. Knobbe Martens LLP makes no representations or warranties as to the accuracy, completeness, timeliness or availability of the information in this blog. Knobbe Martens LLP will not be liable for any injury or damages relating to your use of, or access to, any such information. Knobbe Martens LLP undertakes no obligation to correct or update information on this blog, which may be incorrect or become incorrect or out of date over time. Knobbe Martens LLP reserves the right to alter or delete content or information on the blog at any time. This blog contains links and references to other websites and publications that you may find of interest. Knobbe Martens LLP does not control, promote, endorse or otherwise have any affiliation with any other websites or publications unless those websites or publications expressly state such an affiliation. Knobbe Martens LLP further has no responsibility for, and makes no representations regarding, the content, accuracy or any other aspect of the information in such websites or publications.
close modal