You Can Apply if You Want To: FDA’s Guidance Concerning Its Refuse to Accept Policy for Cyber Devices

Channeling Men Without Hats’ 1982 catchy (not classic) hit, “Safety Dance,” FDA told industry in a recently issued guidance that medical device companies could submit marketing applications for cyber devices if they want to (and let the FDA review dance commence), and everything will (likely) work out right.¹ Specifically, on March 30, 2023, FDA released the guidance document, “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act [Federal Food, Drug, and Cosmetic Act],” stating it would not issue a “Refuse to Accept” (“RTA”) decision for marketing applications for cyber medical devices submitted before October 1, 2023, based only on information required by the new statutory provision (Section 524B).²

Background

• Congress amended the FD&C Act which requires, among other things, that a submission for a cyber device must provide information to FDA that the product has met statutory cybersecurity requirements.
• Specifically, according to Section 524B, a sponsor must:

1. 1. submit to the Secretary [of the Department of Health and Human Services] a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
   2. design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address
      • on a reasonably justified regular cycle, known unacceptable vulnerabilities; and
      •  as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;
   3. provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components; and
   4. comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.

• For premarket submissions submitted for cyber devices before October 1, 2023, FDA said it intends not to issue RTA decisions based solely on information required by section 524B. It will work with sponsors during the review process.
• Beginning October 1, 2023, FDA expects that sponsors of cyber devices will prepare premarket submissions that contain information required by section 524B. After that date, FDA may issue RTAs to submissions that do not.

AGG Observations

• Timing is everything. If a sponsor of a cyber device product submits a marketing application before October 1, 2023, FDA might accept the application, even if it lacks the information required by Section 524B. After that date, all bets are off.
• FDA’s decision not to issue an RTA, however, does not mean the agency will clear or approve the application. The guidance merely addresses a procedural issue, not a substantive review one.
• Coming full circle to Men Without Hats, anyone can submit an application (start the regulatory review dance) if they want to, but it may or may not work out as expected (depending on the submission timing).

[1] www.fda.gov/media/166614/download. The guidance follows passage of the Consolidated Appropriations Act, signed into law on Dec. 29, 2022.

[2] The term “cyber device” is one that (1) includes software validated, installed, or authorized by the sponsor as a device or in a device; (2) has the ability to connect to the internet; and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.