May 1, 2024
On March 12, 2024 FDA published “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act — Draft Guidance for Industry and Food and Drug Administration Staff”. The draft document is open for public comment until 05/13/2024.
Specifically, FDA provides this draft guidance to propose updates to the FDA Cybersecurity Premarket Guidance (Sept. 2023) by suggesting a new section that will address new considerations for cyber devices and clarify what cybersecurity information is considered necessary to comply with section 524B of the FD&C Act.
The proposed changes focus on the following areas (summarized, for detail refer to the original document):
Medcrypt comment: Any device that contains software will likely fall under this definition, even if the device is stand alone in its clinical use but contains means for software update, e.g., via USB port.
For premarket submissions, manufacturers must demonstrate compliance with section 524B of the FD&C Act. Recommendations regarding the supporting documentation include:
Plans and Procedures, for example:
Design, Develop, and Maintain Processes and Procedures to Provide a Reasonable Assurance of Cybersecurity (per Section 524B(b)(2)) of the device and related systems. Related systems include for example:
Software Bill of Materials (SBOM) (per Section 524B(b)(3)) including commercial, open-source, and off-the-shelf software components.
Medcrypt comment: Manufacturers are required to look at cybersecurity holistically across the entire device use case, including its integration with clinical and operational systems.
Based on the type of change and whether such change impacts cybersecurity, device modifications may also be included under section 524B. FDA differentiates between:
Note that regardless of the type of change being proposed, during review FDA intends to take into account known cybersecurity concerns that are applicable to such devices to determine whether the device is cybersecure.
Medcrypt comment: Here we see an opportunity for FDA to clarify requirements as e.g., in the FDA Cybersecurity Fact Sheet it is stated that “Medical device manufacturers can always update a medical device for cybersecurity. In fact, the FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity”. This could be interpreted as an apparent conflict.
FDA interprets FDORA and the FD&C Act that a “reasonable assurance of cybersecurity” can be part of FDA’s determination of a device’s safety and effectiveness and that reasonable assurance of cybersecurity is relevant to authorization Cybersecurity has become essential to to protect public health and provide reasonable assurance of safety and effectiveness.
Medcrypt comment: FDA reiterates the importance of cybersecurity and has made it clear that future device submissions (new or changes to released device) will be required to meet the defined requirements for security and, by extension, operational reliability and patient safety.
See the full draft guidance,“Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act — Draft Guidance for Industry and Food and Drug Administration Staff” and submit comments until 05/13/2024.
Interested in learning more about how Medcrypt helps medical device manufacturers meet regulatory requirements? Contact us at info@medcrypt.com and visit us at medcrypt.com to discover our full suite of medical device cybersecurity products and services.
December 13, 2024
December 4, 2024
Get the latest healthcare cybersecurity news right in your inbox.
We'll never spam you or sell your information