Heightened Cybersecurity Requirements for Medical Devices Passed Into Law

Ballard Spahr LLP
Contact

Ballard Spahr LLP

Many privacy professionals may have missed it, but in the run-up to the New Year — while many U.S. companies were focused on complying with the California Privacy Rights Act (CPRA) — Congress passed an appropriations bill that contains significant new cybersecurity requirements for medical device companies.  The  Omnibus Appropriations Bill, which was signed into law on December 29, 2022, contains provisions amending the Federal Food, Drug, and Cosmetic Act to further mandate the implementation of cybersecurity controls for certain internet connected medical devices. Specifically, any ‘device’ (as the term is broadly defined under 21 U.S.C.S. 321(h)) must comply with the new requirements if the device: (1) includes software which is validated, installed, or authorized by the sponsor; (2) has the ability to connect to the internet; and (3) contains any technological characteristics that could be vulnerable to cybersecurity threats.

The new rules go into effect 90 days after the passage of the Bill (or March 22, 2023), Thereafter, any sponsor submitting a cyber device to the FDA must:

  1. Submit to the FDA Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
  • Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address: (a) On a reasonably justified regular cycle, known unacceptable vulnerabilities; and (b) As soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks; and
  • Provide to the Secretary of the FDA a software bill of materials, including commercial, open-source, and off-the-shelf software components.

Further, the new amendments authorize the FDA to draft regulations containing additional requirements that “demonstrate reasonable assurance that the device and related systems are cybersecure” or regulations which exempt certain devices or device types from the new requirements. While there are no express timing requirements for the draft regulations, the new amendments do require the FDA to update its existing ‘‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’’ guidance within two years, and additionally, requires the FDA to update its public facing guidance regarding improving cybersecurity of devices within 180 days.

Medical device manufacturers should carefully review their current cybersecurity controls for covered devices and keep a close eye out for the new FDA guidance and regulations. As always in the world of data privacy, if you blink, you may miss a new law or regulation.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Ballard Spahr LLP

Written by:

Ballard Spahr LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide