Many privacy professional may have missed it, but In the run-up to the New Year — while many U.S. companies were focused on complying with the California Privacy Rights Act (CPRA) — Congress passed an appropriations bill that contains significant new cybersecurity requirements for medical device companies.  The  Omnibus Appropriations Bill, which was signed into law on December 29, 2022, contains provisions amending the Federal Food, Drug, and Cosmetic Act to further mandate the implementation of cybersecurity controls for certain internet connected medical devices. Specifically, any ‘device’ (as the term is broadly defined under 21 U.S.C.S. 321(h)) must comply with the new requirements if the device: (1) includes software which is validated, installed, or authorized by the sponsor; (2) has the ability to connect to the internet; and (3) contains any technological characteristics that could be vulnerable to cybersecurity threats.

The new rules go into effect 90 days after the passage of the Bill (or March 22, 2023), Thereafter, any sponsor submitting a cyber device to the FDA must:

  1. Submit to the FDA Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
  • Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address: (a) On a reasonably justified regular cycle, known unacceptable vulnerabilities; and (b) As soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks; and
  • Provide to the Secretary of the FDA a software bill of materials, including commercial, open-source, and off-the-shelf software components.

Further, the new amendments authorize the FDA to draft regulations containing additional requirements that “demonstrate reasonable assurance that the device and related systems are cybersecure” or regulations which exempt certain devices or device types from the new requirements. While there are no express timing requirements for the draft regulations, the new amendments do require the FDA to update its existing ‘‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’’ guidance within two years, and additionally, requires the FDA to update its public facing guidance regarding improving cybersecurity of devices within 180 days.

Medical device manufacturers should carefully review their current cybersecurity controls for covered devices and keep a close eye out for the new FDA guidance and regulations. As always in the world of data privacy, if you blink, you may miss a new law or regulation.