FDA Says New Applications for Cyber Devices Need a Security Plan

Starting March 29, new applications to the FDA for a “cyber device” must identify any vulnerabilities and include a plan for ongoing security throughout the device’s life, the FDA said in a final guidance released yesterday.

“Cyber device” means a device that includes software, can connect to the internet and has any technology that could be vulnerable to cybersecurity threats.

In new applications for medical device approvals, sponsors must include a plan to monitor and identify vulnerabilities, have a process for ongoing security including postmarket updates and list the software and/or components, and “comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure,” the guidance states.

The agency says that until Oct. 1, for premarket submissions that don’t have all the required cybersecurity information, the agency “generally intends not to issue ‘refuse to accept’ (RTA) decisions” and instead will “work collaboratively with sponsors ... as part of the interactive and/or deficiency review process.”