Cybersecurity and the Omnibus Appropriations Act

On December 29, 2022, President Biden signed into law the Omnibus Appropriations Act.  Section 3305, titled ENSURING CYBERSECURITY OF MEDICAL DEVICES, provides the FDA with the formal authority to require manufacturers to take cybersecurity protection measures. In the past, the FDA could only provide non-binding guidance to manufacturers for their pre-market submissions.

The act has 3 specific requirements for pre-market submissions for internet-connected medical devices (called “cyber devices”):

(1) submit ... a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
(2) design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address
--(A) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and
--(B) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;
(3) provide ... a software bill of materials, including commercial, open-source, and off-the-shelf software components

Per the act, other requirements to demonstrate reasonable assurance that the device and related systems are cybersecure may also be enacted.

So what does this mean for medical device manufacturers? Securing medical devices is not new, nor was it optional for FDA submissions. The first pre- and postmarket guidances were released in 2014 and 2016 respectively. A new draft guidance was published in 2022 (following the previous 2018 draft, which was never released. We have seen an emphasis on cybersecurity grow over the years, both in pre-sub discussions and in 510k/PMA submission responses, particularly for higher risk devices like infusion pumps and other Class III devices. At Promenade Software, we have been including Cybersecurity controls and associated documentation for our clients for several years. We have also helped scores of clients with their submission materials, penetration testing, and SBOM creation.

It is yet to be seen what the formal authority provided in this act will mean, but clearly security for medical devices continues to grow in priority for the agency, and the manufacturers will need to comply. Just now, as this blog is being published, the FDA issued a guidance outlining that it plans to "Refuse to Accept" 510k submissions that do not meet the above requirements. This will go into effect October 1, 2023. Stay tuned!

Need help on this topic?
Contact Us
Frances Cohen

Frances Cohen is President of Promenade Software Inc., a leading software services firm specializing in medical device and safety-critical system software. Frances has more than 20 years of experience leading software teams for medical device software. Starting with heart defibrillators for Cardiac Science and following with Source Scientific LLC and BIT Analytical Instruments Inc., Frances has overseen dozens of projects through development and the FDA, including IDEs, 510(k)s, and PMAs.  

Frances has a B.S. in computer engineering from the Technion, Israel Institute of Technology.

linkedin logo
SUBSCRIBE TO
NEWSLETTER
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
ABOUT
PROMENADE SOFTWARE

Promenade Software, Inc. specializes in software development for medical devices and other safety-critical applications.
Promenade is ISO 13485, and CypherMed Cloud is SOC2 Type II certified.