Many privacy pundits may have missed it, but heading into the new year — while many U.S. companies focus on complying with the California Privacy Rights Act (CPRA) — Congress has announced that Passed appropriations bills containing significant new cybersecurity requirements. device company. The blanket appropriations bill, signed into law on December 29, 2022, includes provisions to amend the Federal Food, Drug, and Cosmetic Act to further mandate cybersecurity controls for certain internet-connected medical devices. Specifically, all “devices” (as that term is broadly defined at 21 USCS 321(h)) must comply with the new requirements if they: (1) Includes software verified, installed or approved by Sponsor. (2) It has the ability to connect to the Internet.When (3) Contains technical characteristics that may make it vulnerable to cybersecurity threats.
The new rules will take effect 90 days (or March 22, 2023) after passage of the bill. Sponsors submitting cyber devices to the FDA must then:
- Submit a plan to the FDA Commissioner to monitor, identify, and address post-market cybersecurity vulnerabilities and exploits in a reasonable time.
- Design, develop, and maintain processes and procedures to reasonably ensure that your Devices and related systems are cyber-secured, and make available post-market updates and patches for your Devices and related systems; Address the following: (a) Known vulnerabilities that are unacceptable on a reasonably justified regular cycle.When (B) Critical vulnerabilities that may pose uncontrollable risks.When
- Submit software bills of materials, including commercial, open source, and off-the-shelf software components, to the FDA Commissioner.
In addition, the new amendments would allow rules to include additional requirements that “demonstrate reasonable assurance that devices and related systems are cybersecured,” or rules that exempt certain devices or types of devices from the new requirements. are allowed to be drafted by the FDA. Although there are no explicit timing requirements in the draft regulation, the new amendments require FDA to update the existing Content of Premarket Submissions on the Control of Cybersecurity in Medical Devices guidance within two years, and also: FDA should: Within 180 days, we will update our public guidance on improving device cybersecurity.
Medical device manufacturers should carefully review current cybersecurity controls for their devices and pay attention to new FDA guidance and regulations. As with all things in the world of data privacy, blinking can make you miss new laws and regulations.