The FDA released a draft guidance on March 13, 2024, aiming to update its existing guidance on the cybersecurity of medical devices. Public comments are open until May 13, 2024, following which the FDA will review and incorporate feedback into the final guidance document.
This update will entail including additional details regarding the categories of devices falling under section 524B(c) of the Food, Drug, and Cosmetic Act (FD&C Act), as well as specifying who is mandated to ensure compliance with medical device cybersecurity measures.
Upon finalization, this draft guidance will outline the information deemed necessary by the FDA to fulfill obligations outlined in section 524B of the FD&C Act, as stated in a notice published in the Federal Register.
The agency emphasized that individuals must submit information demonstrating a medical device’s adherence to cybersecurity standards if it qualifies as a cyber device under various submissions like 510(k), premarket approval application (PMA), product development protocol (PDP), De Novo, or humanitarian device exemption (HDE). According to section 524B(c), a cyber device is one that connects to the internet through any means, is susceptible to cybersecurity threats, and contains validated, installed, or authorized software.
Documentation requirements under section 524B encompass processes and procedures ensuring the cybersecurity of the device and its associated systems. These entail proactive identification and handling of cybersecurity vulnerabilities, establishment of a plan and timeline for releasing updates and patches for vulnerabilities and maintaining documentation to address new risks and vulnerabilities throughout the product lifecycle. Additionally, a software bill of materials is required irrespective of the device’s component sources.
Regarding device modifications, the FDA suggests that manufacturers of cyber devices tailor their submissions based on the nature of the change and its impact on cybersecurity. Examples of changes potentially affecting cybersecurity include alterations to authentication or encryption algorithms, introduction of new connectivity features, or software updates.
If a change is unlikely to affect cybersecurity, manufacturers may provide summary information instead of comprehensive documentation, provided there is reasonable assurance of cybersecurity.
In its cybersecurity review, the FDA intends to focus on modifications to cybersecurity controls or changes likely to impact cybersecurity. Additionally, it will consider known cybersecurity concerns applicable to the device when conducting premarket reviews to ensure a reasonable assurance of cybersecurity.
For 510(k) submissions, the FDA examines changes in the device’s environment, alterations to technological characteristics that may introduce new risks or vulnerabilities, and the device’s operation with new risks or vulnerabilities.
About Accel
Accel Groups is a dedicated team of seasoned professionals in regulatory, clinical and market access. We help medical device and IVD manufacturers with complete product life cycle solutions from preclinical, strategy, clinical evaluation and trial, regulatory submission, to post market surveillance. Our regional principals have a minimum of 10+ years’ experience in their specialty to enable us to provide the regional in-depth expertise but with global one-stop shop solutions. Ask us about our Start-up kits for start-up companies with key countries regulatory pathway.
