FDA Proposes Updated Guidance Concerning Cybersecurity of Medical Devices
The U.S. Food and Drug Administration ("FDA") has proposed updated guidance, intended to assist individuals in meeting the cybersecurity requirements for FDA medical device submissions.
On March 13, 2024, FDA released the draft Premarket Cybersecurity Guidance, proposing select supplementary updates to the final guidance "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions." This draft guidance identifies the information FDA generally considers necessary to support premarket submission obligations concerning the cybersecurity of medical devices.
Such obligations are established by Section 524B of the Federal Food, Drug, and Cosmetic Act, and apply to any submission, including a 510(k), PMA, PDP, De Novo, or HDE, for a "Cyber Device." The updates clarify that a Cyber Device: (i) is or contains software, including software that is firmware or programable logic; (ii) can connect to the internet, intentionally or not; and (iii) contains technological characteristics that could be vulnerable to cybersecurity threats. The proposed updates also address requirements concerning documentation, modifications, and cybersecurity assurance:
- Documentation. Manufacturers must provide documentation to comply with 524B requirements. This includes: (i) plans and procedures to monitor, identify, disclose, and address post-market cybersecurity vulnerabilities and exploits; (ii) reasonable assurances that the device and related systems (e.g., manufacturer-controlled elements, software/firmware update servers, and connections to health care facility networks) are cybersecure; and (iii) the software bill of materials (including commercial, open-source, and off-the-shelf software components).
- Modifications. Applications for Cyber Device modification are subject to Section 524B, but the information that a manufacturer is recommended to submit depends on the type of modification and whether it impacts the device's cybersecurity. If modifications may impact cybersecurity (e.g., changes to authentication/encryption algorithms, connectivity feature, software updates), the documentation listed above should be included with the submission. If modifications are unlikely to impact cybersecurity, the manufacturer may refer to previously submitted documentation or provide a summary assessment instead.
- Reasonable Assurance of Cybersecurity. Since the Secretary of Health and Human Services may require a "reasonable assurance" of cybersecurity of certain cyber devices, FDA interprets this provision to mean that a "reasonable assurance of cybersecurity" can be part of FDA's evaluation of the cyber device's safety and effectiveness. For example, in evaluating reasonable assurance of cybersecurity in 510(k) premarket submissions, FDA considers changes to the environment of use, new risks or vulnerabilities in the technological characteristics, and how these potential vulnerabilities have been addressed.
This draft guidance does not establish the agency's current thinking until finalized. Comments and suggestions should be submitted by May 13, 2024.
