Thursday, March 23, 2023

FDA Sends Medical Device Cybersecurity Notice to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had receive a notice from the Federal Drug Administration (FDA) on “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act”. There is no listing for this action in the Fall 2022 Unified Agenda.

The new §524B was added to the Food, Drug, and Cosmetic Act by §3305 (pg 1374), Ensuring Cybersecurity of Medical Devices, of the Consolidated Appropriations Act, 2023 (PL 117-328, HR 2617). Subsection 3305(b) amended 21 USC 331(q) making it unlawful for medical device manufacturers to fail  to comply with any requirement under §524B(b)(2). That paragraph reads:

‘‘(2) design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address—

‘‘(A) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and

‘‘(B) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;”

It looks like this notice may be related to that section in relation to ‘§524B’.

No comments:

/* Use this with templates/template-twocol.html */