New Cybersecurity Requirements for Cyber Medical Devices
The way that medical device manufacturers prepare premarket submissions for cyber devices is undergoing a significant change. This not only impacts FDA submissions but affects how cybersecurity is incorporated into the entire medical device lifecycle.
This change comes as a result of the Consolidated Appropriations Act (Omnibus Bill) which was signed into law on the 29th of December 2022, and came into effect 90 days later on the 29th of March 2023. Medical device manufacturers need to act fast.
What Are the 4 New FDA Cybersecurity Requirements for Medical Devices?
1. Postmarket Monitoring: Submit a plan to monitor, identify, and address, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
2. Device Updates: Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address— on a reasonably justified regular cycle, known unacceptable vulnerabilities; and as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;
3. SBOM: Provide a software bill of materials (SBOM)
4. Regulatory Compliance: Ensure compliance with other requirements that the FDA may require through regulation to demonstrate reasonable assurance that the device and related systems are cyber secure.
How SelectEvidence™ Enables You Meet New FDA Cybersecurity Requirements
Postmarket Monitoring: SelectEvidence allows you to automate postmarket cybersecurity monitoring. You can also automate the performance of premarket cybersecurity risk assessments and generate all regulatory and customer reports.
Device Updates: Manage traceability and revision control throughout the medical device lifecycle.
SBOM: Multi-format ingestion of each and every Software Bill of Materials.
Regulatory Compliance: With SelectEvidence™ you can reuse mitigation knowhow across your portfolio of risk assessments. This enhances standardization and reduces duplicate analysis.
FDA’s RTA Deadline – Oct 1st, 2023
Alongside these new security requirements is FDA’s new RTA policy (refuse-to-accept policy). From March 29th 2023, there is a 6-month grace period where FDA will work collaboratively with applicants to remedy defects in their cybersecurity documentation.
However, from October 1st 2023, FDA will reject or ‘refuse to accept’ submissions that do not include information relating to the four new FDA cybersecurity requirements for medical devices. Medical device manufacturers need to act fast.
Meet New Cybersecurity Requirements By Integrating With SelectEvidence™
Medical device manufacturers can meet the new FDA cybersecurity requirements by integrating with SelectEvidence™.
SelectEvidence™ is a cybersecurity risk management solution for connected medical devices that automates the continuous monitoring of vulnerabilities and the identification of related mitigations, while generating live regulatory reports.