It's official... the FDA has published a guidance that restates the statutory requirement to include cybersecurity-related information in your Premarket Submission for almost all Medical Devices. Specifically, this requirement applies to devices that contain software (i.e., SaMD or SiMD), are able to connect to the internet, and could be vulnerable to cyber threats. Beyond what is a restatement of the statute, the guidance offers two points of importance: 1) as of March 29, 2023, new submissions must contain the requisite cyber information, and 2) as of October 1, 2023, the FDA will begin to refuse to accept submissions that do not have the requisite cyber information.
For those who didn't read the statute when it was enacted, the Agency copied and pasted the text for you. As stated, the submission must contain:
Note that the statute also requires the manufacturer to 1) design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cyber secure, and 2) make available post market updates and patches to the device and related systems to address a) known unacceptable vulnerabilities and b) critical vulnerabilities that could cause uncontrolled risks.
If you haven't already integrated cybersecurity into your quality and regulatory activities (not to mention your product design), you are already behind!
Stay in the loop with exclusive insights and valuable updates about the medical device industry and FDA approval!