Proposed updates to align FDA Premarket Cybersecurity Guidance with Section 524B of the FD&C Act

Topics:
FDA readiness
This is some text inside of a div block.
Thought leadership
This is some text inside of a div block.
Regulatory
This is some text inside of a div block.

March 14, 2024

Proposed updates to align FDA Premarket Cybersecurity Guidance with Section 524B of the FD&C Act

On March 12, 2024 FDA published “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act — Draft Guidance for Industry and Food and Drug Administration Staff”. The draft document is open for public comment until May 13, 2024.

Specifically, FDA provides this draft guidance to propose updates to the FDA Cybersecurity Premarket Guidance (Sept. 2023) by suggesting a new section to address new considerations for cyber devices and clarify what cybersecurity information is considered necessary to comply with section 524B of the FD&C Act.

The proposed changes focus on the following areas:

1. Definition of a “Cyber Device” and cybersecurity information required for submission:

Any manufacturer submitting a 510(k), PMA, PDP, De Novo, or HDE for a “cyber device,” is required to include information to demonstrate that the device meets cybersecurity requirements.

A “cyber device” is a device that:

  • includes software validated, installed, or authorized by the sponsor;
  • has the ability to connect to the internet; and
  • contains any technology that could be vulnerable to cybersecurity threats.

This definition is quite broad and includes any device that contains software and has the “ability to connect”, regardless of whether such connectivity is intended or not. This includes devices that connect via Wi-Fi or cellular; network, server, or cloud service; Bluetooth or BLE; RF or inductive communications; and hardware connectors (e.g., USB, ethernet, serial).

Medcrypt Comment: Any device that contains software will likely fall under this definition, even if the device is stand alone in its clinical use but contains means for software update, e.g., via USB port.

2. Documentation Recommendations to Comply with Section 524B

For premarket submissions, manufacturers must demonstrate compliance with section 524B of the FD&C Act. Recommendations regarding the supporting documentation include:

Plans and Procedures, for example:

  • A Postmarket Management plan “to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures”.
  • An overarching Cybersecurity Management Plan.
  • Coordinated Vulnerability Disclosure (CVD) Process to manage the disclosure of vulnerabilities and exploits identified by external entities or by the manufacturer.
  • Processes to provide for timely development and release of required updates and patches on a regular cycle or, if critical, out of cycle.
  • Maintain and update plans and procedures.

Design, Develop, and Maintain Processes and Procedures to Provide a Reasonable Assurance of Cybersecurity (per Section 524B(b)(2)) of the device and related systems. Related systems include for example:

  • Per FDA’s Guidance “Multiple Function Device Products”;
  • Software/firmware update servers; or
  • Connections to health care facility networks.

Software Bill of Materials (SBOM) (per Section 524B(b)(3)) including commercial, open-source, and off-the-shelf software components.

Medcrypt comment: Manufacturers are required to look at cybersecurity holistically across the entire device use case, including its integration with clinical and operational systems.

3. Device Modifications

Based on the type of change and whether such change impacts cybersecurity, device modifications may also be included under section 524B. FDA differentiates between:

Changes that may impact cybersecurity (e.g., changes to authentication or encryption algorithms, new connectivity features, or changing software update process/mechanisms) require the recommended documentation as described.

Changes that are unlikely to impact cybersecurity (e.g., a change to an algorithm without change to architecture/software structure/connectivity) will still require reference to prior submission and documentation, a summary of changes, and summaries of any updates/patches made to address vulnerabilities or exploits.

For any limitations to updating the cybersecurity of the device, provide a description of the limitations which prevent further security controls and an assessment of residual risk

Note that regardless of the type of change being proposed, during review FDA intends to take into account known cybersecurity concerns that are applicable to such devices to determine whether the device is cybersecure.

Medcrypt comment: Here we see an opportunity for FDA to clarify requirements as e.g., in the FDA Cybersecurity Fact Sheet it is stated that “Medical device manufacturers can always update a medical device for cybersecurity. In fact, the FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity”. This could be interpreted as an apparent conflict.

4. Reasonable Assurance of Cybersecurity

FDA interprets FDORA and the FD&C Act that a “reasonable assurance of cybersecurity” can be part of FDA’s determination of a device’s safety and effectiveness and that reasonable assurance of cybersecurity is relevant to authorization Cybersecurity has become essential to to protect public health and provide reasonable assurance of safety and effectiveness.

Medcrypt comment: FDA reiterates the importance of cybersecurity and has made it clear that future device submissions (new or changes to released device) will be required to meet the defined requirements for security and, by extension, operational reliability and patient safety.

Related articles

Top 5 Things People Get Wrong About SBOM Generation
This is some text inside of a div block.

Top 5 Things People Get Wrong About SBOM Generation

Vulnerability management
This is some text inside of a div block.
Tools & processes
This is some text inside of a div block.
Thought leadership
This is some text inside of a div block.
Jobe Naff
Jobe Naff

October 30, 2024

Cybersecurity in FDA CDRH’s Proposed Guidance List for Fiscal Year 2025
This is some text inside of a div block.

Cybersecurity in FDA CDRH’s Proposed Guidance List for Fiscal Year 2025

FDA readiness
This is some text inside of a div block.
Regulatory
This is some text inside of a div block.
Thought leadership
This is some text inside of a div block.
Axel Wirth
Axel Wirth

October 28, 2024

Meeting FDA Cybersecurity Requirements with Medcrypt Guardian & RTI Connext
This is some text inside of a div block.

Meeting FDA Cybersecurity Requirements with Medcrypt Guardian & RTI Connext

Company
This is some text inside of a div block.
Cryptography
This is some text inside of a div block.
Tools & processes
This is some text inside of a div block.
All authors
All authors

October 22, 2024

Subscribe to Medcrypt news

Get the latest healthcare cybersecurity news right in your inbox.

We'll never spam you or sell your information