FDA’s Cybersecurity Authority in 2023

Today the FDA has issued a new final guidance on the Refuse to Accept (RTA) policy relating to cybersecurity in medical devices, specifically for “Cyber Devices” as defined in the newly-amended FD&C Act (Section 524B). In mapping its guidance to the new statutory authority, the FDA specifies what is expected when a submission is provided to the agency for review.

What does this mean for you? If you’re a company building a medical “cyber device”, it is now a requirement that you build your device to be secure by design, develop strategies to monitor and maintain the security of that device postmarket and for the life of the device, generate and maintain a software bill of materials, and generate the requisite documentation proving you’ve done so as part of your FDA regulatory submission.

When we started MedCrypt in 2016, we heard many healthcare stakeholders say that cybersecurity wouldn’t be an important topic in medical devices until the FDA made it so. The FDA’s announcement makes it clear that this day has come. If you have questions about what you can do to satisfy these new FDA requirements, please reach out to us at info@medcrypt.com. Keep an eye out for a more comprehensive analysis of this new guidance document, coming soon.

MedCrypt exists to help healthcare technology companies build products that are secure by design. We’re excited to help our industry bring innovative clinical technologies to patients today, while anticipating the cybersecurity challenges of tomorrow.

Follow MedCrypt on LinkedIn and Twitter and subscribe to our newsletter to stay up to date on the latest news in medical device cybersecurity.