Decoding FDA Guidance: A Deep Dive into the Premarket Cybersecurity Update

On March 12, 2024 FDA published “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act — Draft Guidance for Industry and Food and Drug Administration Staff”. The draft document is open for public comment until 05/13/2024.

Specifically, FDA provides this draft guidance to propose updates to the FDA Cybersecurity Premarket Guidance (Sept. 2023) by suggesting a new section that will address new considerations for cyber devices and clarify what cybersecurity information is considered necessary to comply with section 524B of the FD&C Act.

The proposed changes focus on the following areas (summarized, for detail refer to the original document):

1. Definition of a “Cyber Device” and cybersecurity information required for submission:

• Any manufacturer submitting a 510(k), PMA, PDP, De Novo, or HDE for a “cyber device,” is required to include information to demonstrate that the device meets cybersecurity requirements.
• A “cyber device” is a device that: includes software validated, installed, or authorized by the sponsor, has the ability to connect to the internet, and contains any technology that could be vulnerable to cybersecurity threats.
• This definition is quite broad and includes any device that contains software and has the “ability to connect”, regardless of whether such connectivity is intended or not. This includes devices that connect via Wi-Fi or cellular; network, server, or cloud service; Bluetooth or BLE; RF or inductive communications; and hardware connectors (e.g., USB, ethernet, serial).

Medcrypt comment: Any device that contains software will likely fall under this definition, even if the device is stand alone in its clinical use but contains means for software update, e.g., via USB port.

2. Documentation Recommendations to Comply with Section 524B

For premarket submissions, manufacturers must demonstrate compliance with section 524B of the FD&C Act. Recommendations regarding the supporting documentation include:

Plans and Procedures, for example:

• A Postmarket Management plan “to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures”.
• An overarching Cybersecurity Management Plan.
• Coordinated Vulnerability Disclosure (CVD) Process to manage the disclosure of vulnerabilities and exploits identified by external entities or by the manufacturer.
• Processes to provide for timely development and release of required updates and patches on a regular cycle or, if critical, out of cycle.
• Maintain and update plans and procedures.

Design, Develop, and Maintain Processes and Procedures to Provide a Reasonable Assurance of Cybersecurity (per Section 524B(b)(2)) of the device and related systems. Related systems include for example:

• Per FDA’s Guidance “Multiple Function Device Products”;
• Software/firmware update servers; or
• Connections to health care facility networks.

Software Bill of Materials (SBOM) (per Section 524B(b)(3)) including commercial, open-source, and off-the-shelf software components.

Medcrypt comment: Manufacturers are required to look at cybersecurity holistically across the entire device use case, including its integration with clinical and operational systems.

3. Device Modifications

Based on the type of change and whether such change impacts cybersecurity, device modifications may also be included under section 524B. FDA differentiates between:

• Changes that may impact cybersecurity (e.g., changes to authentication or encryption algorithms, new connectivity features, or changing software update process/mechanisms) require the recommended documentation as described.
• Changes that are unlikely to impact cybersecurity (e.g., a change to an algorithm without change to architecture/software structure/connectivity) will still require reference to prior submission and documentation, a summary of changes, and summaries of any updates/patches made to address vulnerabilities or exploits.
• For any limitations to updating the cybersecurity of the device, provide a description of the limitations which prevent further security controls and an assessment of residual risk

Note that regardless of the type of change being proposed, during review FDA intends to take into account known cybersecurity concerns that are applicable to such devices to determine whether the device is cybersecure.

Medcrypt comment: Here we see an opportunity for FDA to clarify requirements as e.g., in the FDA Cybersecurity Fact Sheet it is stated that “Medical device manufacturers can always update a medical device for cybersecurity. In fact, the FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity”. This could be interpreted as an apparent conflict.

4. Reasonable Assurance of Cybersecurity

FDA interprets FDORA and the FD&C Act that a “reasonable assurance of cybersecurity” can be part of FDA’s determination of a device’s safety and effectiveness and that reasonable assurance of cybersecurity is relevant to authorization Cybersecurity has become essential to to protect public health and provide reasonable assurance of safety and effectiveness.

Medcrypt comment: FDA reiterates the importance of cybersecurity and has made it clear that future device submissions (new or changes to released device) will be required to meet the defined requirements for security and, by extension, operational reliability and patient safety.

See the full draft guidance,“Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act — Draft Guidance for Industry and Food and Drug Administration Staff” and submit comments until 05/13/2024.

Interested in learning more about how Medcrypt helps medical device manufacturers meet regulatory requirements? Contact us at info@medcrypt.com and visit us at medcrypt.com to discover our full suite of medical device cybersecurity products and services.

‍