Dive Brief:

• Under a law passed in December, medical device makers must include cybersecurity information in their pre-market submissions to the U.S. Food and Drug Administration.
• FDA says it won’t immediately issue “refuse to accept” notices for submissions lacking cybersecurity plans, but will work with companies to ensure they can comply.
• October 1 start date will give device makers “sufficient time” to prepare cybersecurity plans, FDA says.  

Dive Insight:

As the number of cyber attacks on hospitals increases, experts have been warning of the need to secure medical devices. More than half of connected medical devices in hospitals had known critical vulnerabilities, and 40% of devices at the end-of-life stage had few or no security patches, according to a report released in September by the Federal Bureau of Investigation. 

In the past, the FDA has shared its thinking on cybersecurity through a series of guidances, but these have generally been considered “nonbinding,” according to a report from PricewaterhouseCoopers. That’s changing now that Congress has given the agency the authority to require cybersecurity information as part of the approval or clearance process for devices that include software or have the ability to connect to the internet. 

The law went into effect on March 29. In June, the FDA must report on how companies are improving their device-related cybersecurity, and by December 2024, the agency must provide updated guidance for medical device companies. 

The FDA shared a draft guidance a year ago that details how device manufacturers should address security in premarket submissions and throughout the rest of the product life cycle. If companies don’t comply, they could face delays in bringing their products to market.

The agency has not yet finalized the guidance, but it’s on the FDA’s short list for 2023.

Updates to clarify FDA’s position on submissions lacking cybersecurity information.