It’s after March 29, 2023. That means that the requirements outlined in section 524B, Ensuring Cybersecurity of Devices (section 3305) of the Consolidated Appropriations Act, 2023 (the “Omnibus” spending bill) start to come into play for medical device, equipment, and supplies manufacturers. Here, we will outline the new cybersecurity requirements from the Omnibus and what medical manufacturers can expect.
If you have submitted an application or submission to the FDA before March 29, 2023, rest easy. The cybersecurity requirements of section 524B are not necessary for applications before that date.
Additionally, the FDA intends to work with organizations collaboratively to go over the new requirements and does not plan to issue “refuse to accept” (RTA) decisions for premarket submissions for cyber devices based solely on information required by section 524B for applications submitted before October 1, 2023.
All device applications submitted before March 29, 2023 do not need to meet the new conditions. However, if you plan to submit a cyber device that was previously authorized but with a change that requires premarket review by the agency, the law would apply for the new premarket submission after March 29, 2023.
Who Must Comply with the requirements of section 524B?
According to the FDA, anyone submitting a premarket application or submission for a device that meets the definition of a cyber device must follow the cybersecurity requirements of section 524B. This includes 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE) submissions.
What is a Cyber Device?
The FDA defines a “cyber device” as a device that:
- Includes software validated, installed, or authorized by the sponsor as a device or in a device
- Has the ability to connect to the internet, and
- Contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats. If manufacturers are unsure as to whether their device is a cyber device, they may contact the FDA
Essentially, any device that could be in danger of a cybersecurity threat is considered a cyber device and is expected to meet the FDA’s new requirements.
What are the cybersecurity requirements of Section 524B?
Section 524B(a) requires that organizations must demonstrate that their devices meet the requirements of section 524B(b). These requirements are that you must:
- Submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
- Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems; and
- Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components
How Can Medical Device Manufacturers Address these Requirements with ERP?
Medical manufacturers need to identify the cybersecurity risks of their devices and come up with a plan for monitoring and addressing those vulnerabilities. This includes coming up with defined processes for protecting their devices. The right Enterprise Resource Planning (ERP) tool can simplify meeting these requirements by offering complete transparency of your systems. An ERP allows you to trace every aspect of your cybersecurity protocols. Your team can quickly evaluate the health of your system and identify problems right to their root cause. This transparency and extensive tracking also makes it simple to present documentation to the FDA or other regulatory bodies. To gain the right ERP for your business, look to a one-stop shop ERP consultant like Datix. With over 25 years in the industry, we can provide support with ERP, CRM, integration, hosting, disaster recovery, and so much more.
In addition, your business protocols can be mandated by your system, so you know with certainty that your team is following them exactly. By setting up required fields with specific data input requirements for certain procedures, you can make sure the information you receive is consistent. An ERP even makes it easier for your team to respond to potential threats quickly, as the system can be set up with automated alerts to notify your staff when certain preset conditions occur. To implement an ERP, Datix can help. We take a business-first approach with out clients, meaning that we take the time to understand their unique business challenges and competitive advantage so that we can offer them the best solution possible. Learn more about transforming your business with an ERP.
Cybersecurity is a significant threat to medical device, equipment, and supplies manufacturers, and its significance will only grow as the world becomes more digital. Don’t get caught off guard by increased expectations from the FDA in cybersecurity and other software-related areas.
For medical manufacturers, Datix is the software consultant of choice. We recognize that each manufacturer is unique and requires a tailored solution to meet their business goals. Our team will partner with you every step of the way to bring your organization to the next level.