By Naomi Schwartz, Medcrypt VP of Services

During 2023, a large proportion of Medical Device Manufacturers (MDMs) received deficiency letters from the Food and Drug Administration (FDA) requesting additional information in their 510(k) (see page 104), de novo, or PMA submissions (see page 8). With FDA’s new statutory authority to require cybersecurity designed-in for medical devices and documented in all major submission types, FDA has significantly increased the review of cybersecurity for medical devices and is issuing deficiencies related to cybersecurity in type and quantities not seen previously. Navigating the cybersecurity issues raised in deficiency letters can be a confusing and downright tumultuous task for MDMs — regulatory teams may not understand the extent of the documentation expected by FDA to support resolution, R&D teams may not anticipate the amount of effort needed to resolve design problems or to achieve adequate testing. There are a number of things to consider when submitting and/or responding to the FDA. How does an MDM navigate all of the details required for an FDA review? From product engineers, to regulatory professionals, to the c-suite, all roles must understand their respective responsibilities and what steps are needed to address deficiency letters.

In this 4-part series, you will discover what an FDA deficiency letter means for everyone across your organization and how it affects the go-to-market plan of a medical device.

What is a stock deficiency?

A deficiency is the FDA’s way of requesting additional information the agency needs to complete the review process of a product submission. FDA will ask for additional information where the manufacturer has failed to include critical documentation to demonstrate compliance with applicable standards, guidance, regulation, or insufficient information is provided in the predicate submission that is used as a precedent for the device under review.

FDA issues detailed, tailored deficiencies that focus on a specific area of the submission (concerns about the specificity of the “indications for use” or concerns about the adequacy/appropriateness of contraindications). FDA will issue “stock deficiencies” when the information needed is very general and there is a common thread of information required across a broad variety of submission types (e.g., EMC, biocompatibility, cybersecurity, software). FDA utilizes “stock deficiencies” to achieve consistency in review and predictability in expected content from industry.

How are stock deficiencies issued?

Stock deficiencies are issued in an FDA deficiency letter or interactive review cycle and are related to questions that arise in a wide variety of submissions reviewed by different teams at the Center for Devices and Radiological Health (CDRH), for example in topical areas of biocompatibility, human factors, or cybersecurity.

The FDA reviewer documents their findings related to the submission in a template that requests MDMs to confirm presence and adequacy of submission information. If information that is routinely requested is missing or inadequate the reviewer indicates missing or inadequate and the template generates a stock deficiency with general language which the reviewer then tailors for the context of their submission under review.

In this blog series, we will focus on stock deficiencies related to cybersecurity. For example, Section 524B of the FD&C Act requires that MDMs establish and maintain a comprehensive cybersecurity risk management program, therefore failure to provide a cybersecurity risk management plan and its outcomes will lead to a deficiency -as this information is now mandatory for cyber devices and recommended for any device that contains software! FDA will issue a stock deficiency indicating that they were unable to identify the cybersecurity risk management elements required under Section 524B of the Act and will specify which elements were missing in the submission in their deficiency notification. See the table below for a list of the most common stock deficiencies we’ve seen from the FDA on cybersecurity topics and who is affected in a medical device manufacturer.

In the following blogs, we’ll go into more detail on how each of the roles listed is impacted by the deficiencies listed:

How does the FDA conduct their review?

The FDA conducts a thorough review of marketing applications by first identifying any deficiencies in submission content that require additional information for a comprehensive evaluation. The FDA is evaluating against the regulation, guidance, standards, and for 510(k) submissions, comparing your submission against its cited predicate to establish “substantial equivalence”.

In cases of major gaps in submission content, FDA issues a deficiency letter, temporarily pausing the review process until the requested information is provided. Minor deficiencies may prompt the issuance of a deficiency letter if they persist after initial communication interactively. The FDA adheres to the least burdensome approach, requesting only essential information for establishing substantial equivalence (510(k)) or for establishing evidence of safety and effectiveness for a PMA.

Information relating to cybersecurity postmarket activities is taken into account in premarket submissions under Section 524B, emphasizing the importance of including required data for regulatory decision-making, without altering existing premarket clearance or approval expectations in other areas.

What steps should MDMs take to respond to deficiencies?

It’s crucial to respond promptly. Below are some steps that can be taken by MDMs to respond to deficiencies. If these deficiencies involve issues with manufacturing and quality control, take appropriate corrective action to prevent deficiencies in future:

• Thoroughly reviewing deficiency letters will help you identify whether the information was excluded but already exists, the information does not yet exist, or if it was already provided but perhaps requires clarification or re-phrasing to achieve FDA’s expectations.
• Once you’ve identified the nature of each deficiency, a specific team can develop a response plan. You should develop a structured plan which outlines the steps you will take to address each deficiency and allows you to set deadlines to ensure you can achieve your complete response by the due date set by the FDA.
• These steps should clearly and concisely address each deficiency with a combination of narrative and supporting evidence.
• You should maintain open communication with the FDA if you have any uncertainties or questions regarding any deficiency mentioned in the letter. Remember to keep a record of all communication and documents exchanged with FDA. (This will help you maintain your audit trail and is helpful for future reference).
• Finally, prepare a formal response and submit it when you are confident your response is complete, within the deadline set by FDA. After submitting, FDA may contact you for further clarification, make sure your team is prepared for this possibility.

What are the challenges of receiving deficiency letters?

Manufacturers may face certain challenges when they receive a deficiency letter from FDA.

Thorough understanding of additional information requests

First, your team needs to have a thorough understanding of the specific areas where any additional information or clarification is needed. This demands a deep knowledge of both the device design and the regulations, standards or guidance associated with it. If you lack adequate personnel internally to address a particular area, you will need to obtain outside expertise and you should ensure you follow your purchasing controls in obtaining such expertise (following Part 820.50).

Limited time

Your team will be affected by the limited time, as responding promptly and meeting the deadline is crucial. If you need to perform any additional testing to respond to FDA’s deficiencies, you need to schedule it promptly.

Maintaining documentation

You will need to maintain meticulous documentation of all communication and documents exchanged with the FDA. If any deficiencies relate to your manufacturing process and/or quality control, you should consider if you need to pursue corrective and preventive action which will prevent deficiencies, or other regulatory findings in the future in the event of a quality system inspection.

Whose job is it to care about deficiency letters?

In the next three blog posts, we’ll explore what receiving cybersecurity stock deficiencies means for medical device manufacturers and further explain how the most common deficiencies we’ve seen affect your go-to-market plans from the perspectives of your product engineers, your regulatory professionals, and your executives, respectively.

Follow us on Medium and LinkedIn for the next release and join Medcrypt’s mailing list to stay up to date on all things medical device cybersecurity.

How Medcrypt can help:

Due to our wealth of experience and firsthand knowledge of FDA’s cybersecurity review practices, Medcrypt is able to provide recommendations for deficiency responses that are faster and more time efficient than would otherwise be possible. Our team’s deep understanding of standards, guidance, and best practices enables us to help MDMs to identify the right-sized approach to correcting deficiencies, either through better narrative, design changes, or updating terminology to clarify the approach. This can lead to faster positive outcomes in review with FDA which typically reduces the time and cost of getting to market. Many manufacturers are just starting to adapt to FDA’s greater expectations in cybersecurity and still have a fair amount of uncertainty on what is expected and how to provide adequate documentation. Medcrypt’s team has a solid understanding of these expectations and can often produce a reasonable and acceptable response to deficiencies faster with more consistently positive outcomes than MDMs can achieve without assistance.

Medcrypt offers reviews of premarket submissions before you submit to FDA through our FDA Audit. If you have already received a deficiency letter, Medcrypt can support you through your deficiency response. We’re happy to be your FDA cybersecurity partner to ensure that your filings are clear and complete.

Interested in learning more about how Medcrypt helps medical device manufacturers meet regulatory requirements? Contact us at info@medcrypt.com and visit us at medcrypt.com to discover our full suite of medical device cybersecurity products and services.

‍