Recently, the Food and Drug Administration (FDA) issued updated regulations regarding medical devices, specifically related to the cybersecurity requirements of those devices. These new requirements are found in Section 524B, Ensuring Cybersecurity of Devices, of the Food, Drug, and Cosmetic Act (FD&C Act).
The new regulations officially went into effect on October 1, 2023, so chief information security officers (CISOs) and other security leaders working for medical device companies need to prioritize compliance to avoid having their new devices refused by the FDA, under the organization’s Refuse to Accept (RTA) policy.
Who Will be Impacted?
The new regulations will apply to anyone who “submits a premarket application or submission […] for a device that meets the definition of a cyber device” — with “cyber device” defined as follows:
“A device that (1) includes software validated, installed, or authorized by the sponsor as a device or in a device, (2) has the ability to…