March 14, 2024
On March 12, 2024 FDA published “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act — Draft Guidance for Industry and Food and Drug Administration Staff”. The draft document is open for public comment until May 13, 2024.
Specifically, FDA provides this draft guidance to propose updates to the FDA Cybersecurity Premarket Guidance (Sept. 2023) by suggesting a new section to address new considerations for cyber devices and clarify what cybersecurity information is considered necessary to comply with section 524B of the FD&C Act.
The proposed changes focus on the following areas:
Any manufacturer submitting a 510(k), PMA, PDP, De Novo, or HDE for a “cyber device,” is required to include information to demonstrate that the device meets cybersecurity requirements.
A “cyber device” is a device that:
This definition is quite broad and includes any device that contains software and has the “ability to connect”, regardless of whether such connectivity is intended or not. This includes devices that connect via Wi-Fi or cellular; network, server, or cloud service; Bluetooth or BLE; RF or inductive communications; and hardware connectors (e.g., USB, ethernet, serial).
Medcrypt Comment: Any device that contains software will likely fall under this definition, even if the device is stand alone in its clinical use but contains means for software update, e.g., via USB port.
For premarket submissions, manufacturers must demonstrate compliance with section 524B of the FD&C Act. Recommendations regarding the supporting documentation include:
Plans and Procedures, for example:
Design, Develop, and Maintain Processes and Procedures to Provide a Reasonable Assurance of Cybersecurity (per Section 524B(b)(2)) of the device and related systems. Related systems include for example:
Software Bill of Materials (SBOM) (per Section 524B(b)(3)) including commercial, open-source, and off-the-shelf software components.
Medcrypt comment: Manufacturers are required to look at cybersecurity holistically across the entire device use case, including its integration with clinical and operational systems.
Based on the type of change and whether such change impacts cybersecurity, device modifications may also be included under section 524B. FDA differentiates between:
Changes that may impact cybersecurity (e.g., changes to authentication or encryption algorithms, new connectivity features, or changing software update process/mechanisms) require the recommended documentation as described.
Changes that are unlikely to impact cybersecurity (e.g., a change to an algorithm without change to architecture/software structure/connectivity) will still require reference to prior submission and documentation, a summary of changes, and summaries of any updates/patches made to address vulnerabilities or exploits.
For any limitations to updating the cybersecurity of the device, provide a description of the limitations which prevent further security controls and an assessment of residual risk
Note that regardless of the type of change being proposed, during review FDA intends to take into account known cybersecurity concerns that are applicable to such devices to determine whether the device is cybersecure.
Medcrypt comment: Here we see an opportunity for FDA to clarify requirements as e.g., in the FDA Cybersecurity Fact Sheet it is stated that “Medical device manufacturers can always update a medical device for cybersecurity. In fact, the FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity”. This could be interpreted as an apparent conflict.
FDA interprets FDORA and the FD&C Act that a “reasonable assurance of cybersecurity” can be part of FDA’s determination of a device’s safety and effectiveness and that reasonable assurance of cybersecurity is relevant to authorization Cybersecurity has become essential to to protect public health and provide reasonable assurance of safety and effectiveness.
Medcrypt comment: FDA reiterates the importance of cybersecurity and has made it clear that future device submissions (new or changes to released device) will be required to meet the defined requirements for security and, by extension, operational reliability and patient safety.
October 2, 2024
September 24, 2024
September 12, 2024
Get the latest healthcare cybersecurity news right in your inbox.
We'll never spam you or sell your information