Towards the end of December last year, President Biden signed into law the Consolidated Appropriations Act 2023. The Act covers a huge range of topics in its 4,000+ pages. Most relevant for medical device companies in the digital space is Section 3305, which paves the way for substantial enhancements to medical device cybersecurity.
Ninety days after passing into law (i.e. on 22nd March 2023), Section 3305 has now taken effect. In this post, we discuss some of the key changes medical device manufacturers should be aware of.
Section 3305
Section 3305 essentially formalises a number of requirements which had already been established by the FDA in various guidance documents. In particular, it states that manufacturers must submit a plan to the FDA (as part of their regulatory approval application) outlining how they will monitor, identify and address cybersecurity vulnerabilities in the post-market phase. Manufacturers must also develop processes (including postmarket patches and updates) to ensure that their devices and related systems are cybersecure. Failure by a manufacturer to comply with Section 3305 is a civil offence which could result in fines of up to $15,000 for each violation.
While Section 3305 legally enshrines the need for manufacturers to consider cybersecurity in relation to their devices, its requirements are generally lacking in detail. To this end, Section 3305 also grants the FDA the authority to issue new cybersecurity standards for medical devices. These standards are to be developed alongside the Cybersecyriuty and Infrastructure Security Agency (CISA) and are to be published by 29th December 2024 at the latest. While the exact content of the FDA’s new cybersecurity standards remains to be seen, at the very least it is expected that they will build upon and add clarity to the requirements of Section 3305.
Preparing for Section 3305
As noted above, Section 3305 took effect on 22nd March 2023, meaning any regulatory submissions lodged with the FDA after this date will have to comply with its requirements. The first step that should be taken by manufacturers in preparation for this is to determine whether or not their device is subject to the new requirements. Section 3305 only applies to “cyber devices”, defined in the legislation as any device which:
If it is established that Section 3305 does apply, manufacturers must then consider which measures they need to implement to ensure the cybersecurity of their devices. Since Section 3305 provides relatively little information in this regard, manufacturers may find it useful to turn to FDA guidance documents such as the “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” (currently in draft form) and “Postmarket Management of Cybersecurity in Medical Devices”. These documents each provide further details on the types of measures and processes manufacturers may need to adopt in relation to cybersecurity. For example, it is recommended that manufacturers undertake threat modelling to help identify security risks and vulnerabilities for the device and the countermeasures that should be applied to protect it.
Another common approach for dealing with cybersecurity is to apply ISO 27001 – the international standard for information security management. To obtain ISO 27001 certification, manufacturers must, among other things, draw up an information security policy, perform information security risk assessments and carry out continual evaluation and improvement of their system. The FDA has not currently designated ISO 27001 as a recognised consensus standard, meaning it is not a standard that the Agency will directly use when deciding whether to clear or approve a regulatory submission. Nevertheless, ISO 27001 still provides a useful framework that can help manufacturers ensure their devices meet the requirements of Section 33305.
How we can help
Regtik, our healthcare regulatory explorer tool, can help you navigate the legal maze by walking your product through a series of simple questions designed to determine which rules and regulations are applicable It is able to provide results for various jurisdictions (the US, EU, UK and Australia) in one single assessment and can be used multiple times on different versions of your product.
If you are interested in learning more about Regtik or would like to request a demo, please contact any member of our team or register your interest below.