Part 2 of 3: Adapting to New Cybersecurity Requirements for Medical Cyber Devices (+Free Webinar Sign-up) 

In part 1 of this mini series, we discussed the new cybersecurity requirements that have come into effect for all medical cyber devices. These cybersecurity requirements were signed into law on the 29th of December 2022 as part of the Omnibus Spending Bill. This new law officially came into effect 90 days after the Omnibus Spending Bill, on the 29th of March 2023. 

These new requirements will have a huge impact on how medical device manufacturers prepare and manage premarket submissions as applicants must provide proof of these security measures in their premarket documentation. 

The Significance of the October 1st RTA Deadline


Alongside these new cybersecurity requirements, you may have heard of FDA’s new RTA (refuse-to-accept) Policy for Cyber Devices. The RTA Policy has come into effect since October 1st 2023. This is quite significant for medical device manufacturers.

What this essentially means is that for a period of 6 months (between 29th of March 2023 and October 1st) the FDA pledged to work collaboratively with applicants to remedy defects in their cybersecurity documentation. If you hadn’t prepared your documents in the correct way or implemented the correct security measures, the FDA will help you rectify it. This 6-month grace period was there to give medical device manufacturers time to adjust to a new way of preparing premarket submissions. 

However, since October 1st, FDA has enforced a refuse-to-accept policy where they reject or ‘refuse to accept’ submissions that don’t include documentation related to the new cybersecurity requirements. 

                        • This is an automatic, computer-generated response. 
                        • Your submission is not seen by a human eye. If you do not have the security measures in place it is a case of “computer says no”. 
                        • There is no collaboration or leeway. 
                        • If your submission doesn’t detail the new cybersecurity measures, FDA will reject it on the spot. It will be up to you to seek consultation in order to rectify the error.

The deadline has already passed but it’s not too late to make amends.

Register for Our Free Webinar Today


On Monday, October 30, 2023 11AM EDT, Nova Leah, together with Bluebridge Technologies,will be hosting a free webinar titled:

‘Navigating FDA’s New Cyber Device Paradigm – Cybersecurity And Compliance, Sharing Industry Best Practices’

The FREE webinar will include:

                      • 3 industry experts delving into the intricacies of compliance and cybersecurity in the medical device industry.
                      • Best practices for designing, developing, and maintaining cyber secure medical devices in an all new medical cyber device regulatory environment.
                      • A run through the essentials of the new FDA cyber device criteria and its impact on your software/system development procedures and maintenance lifecycle. 
                      • Expert Q&A.

Our experts will also journey through the product development and risk management lifecycle, where you can learn about pre and post market cybersecurity risk management including, threat modeling, creating, updating, and monitoring software bill of materials (SBOM), vulnerability assessments, effective coordinated vulnerability disclosure strategies, and developing practices to avoid the new gotcha elements within the regulation. 

You can register for the free webinar using the button below.  We hope to see you there.

Learn more about the speakers and the event here.

Register for Free