Boston MedTech Advisors Blog, January 2024
Medical devices are increasingly connected to the Internet, hospital networks, and other medical devices. As such, medical devices are progressively more vulnerable to cybersecurity breaches, potentially impacting the safety and effectiveness of the device.
On December 29, 2022, the Consolidated Appropriations Act, 2023 (“Omnibus”) was signed by law. The Omnibus amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, “Ensuring Cybersecurity of Medical Devices”. Under this section, a “cyber device” is defined as a device that:1
On September 27, 2023, FDA finalized its guidance for the medical device industry entitled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” This document, which supersedes the agency’s 2014 guidance entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” was designed to update the approach to device cybersecurity in light of the rapidly evolving landscape, increased understanding of emerging threats, and the need for capable deployment of mitigations throughout the total product lifecycle.
- Includes software validated, installed, or authorized by the sponsor as a device or in a device;
- Has the ability to connect to the internet; and
- Contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.
Submission for a device that meets the definition of a cyber device is required by law to provide information to ensure that cyber devices meet the cybersecurity requirements.
On September 27, 2023, FDA finalized its guidance for the medical device industry entitled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.”2 This document, which supersedes the agency’s 2014 guidance entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”3 was designed to update the approach to device cybersecurity in light of the rapidly evolving landscape, increased understanding of emerging threats, and the need for capable deployment of mitigations throughout the total product lifecycle (TPLC). The recommendations in this guidance are intended to help manufacturers meet their obligations under section 524B of the FD&C Act.
The 2023 guidance describes recommendations regarding the cybersecurity information to be submitted for the following device premarket submission types:
- Premarket Notification (510(k));
- De Novo requests;
- Premarket Approval Applications (PMAs) and PMA supplements;
- Product Development Protocols (PDPs);
- Investigational Device Exemption (IDE)applications;
- Humanitarian Device Exemption (HDE) filings;
In addition to these, the recommendations in this guidance are also applicable to devices for which a premarket submission is not required, such as 510(k)-exempt devices.
Compared to the 2014 guidance, FDA has included several new elements in the latest guidance document. These include, but are not limited to, the recommendation for a Secure Product Development Framework (SPDF) for cybersecurity risk management, expanding the scope of the guidance to IDE submissions, and new requirements for Software Bill of Materials (SBOM) documentation in premarket submissions for medical devices.
The guidance document highlights the importance of an iterative approach to device cybersecurity throughout the product lifecycle, with particular emphasis on secure design and cybersecurity risk mitigation and management.
The key areas of focus in the new guidelines are:
- Software validation and risk management (which are essential to meeting Quality System (QS) requirements) are key elements of cybersecurity analyses and demonstrate whether a device has a reasonable assurance of safety and effectiveness. FDA requires manufacturers to implement development processes that account for and address software risks throughout the design and development process as part of design controls, which may include cybersecurity considerations. To satisfy QS requirements, FDA recommends the adoption of protocols such as the Secure Product Development Framework (SPDF) for risk management throughout the product lifecycle.
- Difference between cybersecurity risk management and safety risk management is highlighted. Specifically, FDA has stated that manufacturers should include security risk management reports in premarket submissions to help demonstrate the safety and effectiveness of the device. The report should include documentation on system threat modeling, cybersecurity risk assessment, SBOM, component support information, vulnerability assessments, and unresolved anomaly assessment.
- FDA identifies that transparency is essential to ensure the safe and effective use of medical devices as well as for managing cybersecurity risks in medical device systems and networks. Two routes to enhance transparency are through device labeling and establishing vulnerability management plans. FDA also recommends that manufacturers should consider the end users ability to take on a security-risk mitigation role when designing labeling material. Any risks transferred to the user should be detailed and may need to be included as a part of usability testing.
- Medical device manufacturers are recommended to submit cybersecurity management plans in their premarket submissions. Such plans will be used by FDA to prospectively assess the post-market safety and effectiveness of the device.
- FDA recommends that properly implemented cybersecurity controls ensure the safe and effective interoperability in end-to-end devices. Interoperable devices are identified as those that can exchange and use information electronically with another medical or non-medical product, system, or device. Furthermore, the agency emphasizes that cybersecurity controls should not be leveraged to prohibit users from accessing their device data.
- Medical device manufacturers should document all software components, including any third-party software components, and address or mitigate risks associated with these components to comply with the QS regulation. As software is generally updated over time, such changes may lead to new risks that must be proactively considered during risk management. In its guidance, FDA indicates that device manufacturers should maintain custodial control of the device source code throughout the product lifecycle as part of configuration management. Though premarket submissions do not need to include the source code, manufacturers should plan ahead for updating or replacing third-party software as and when required.
- Following FD&C Section 524B(b)(3), the 2023 guidance states that SBOMs are a required component of marketing applications for cyber devices. In addition, FDA recommends that they be included in the marketing applications of all other devices as well. The recommendations pertaining to SBOMs apply to both proprietary (i.e. manufacturer developed) and third-party software.
The recommendations contained in this guidance document are intended to supplement FDA’s guidance’s for:
- Postmarket Cybersecurity Guidance4
- Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software5
- Content of Premarket Submissions for Device Software Functions6
Since 2004, BMTA’s multidisciplinary team has supported more than 400 medical technologies and life sciences companies around the world to achieve their business goals. BMTA assists its clients to commercialize new products and services and increase their market adoption by addressing their unique and inter-dependent regulatory, clinical evidence, reimbursement, and marketing requirements and strategies. BMTA offers result-oriented insights that recognize the multi-faceted aspects of today’s healthcare markets and the client’s unique business needs.
For more information, questions, or comments, contact us at email@example.com
Follow us on LinkedIn.
- Federal Food, Drug, and Cosmetic Act. Section 524B(c). https://www.congress.gov/117/bills/hr2617/BILLS-117hr2617enr.pdf
- Guidance for Industry and Food and Drug Administration Staff “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” September 27, 2023. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-system-considerations-and-content-premarket-submissions
- Guidance for Industry and Food and Drug Administration Staff “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” October 2, 2014. https://www.fda.gov/media/86174/download
- Guidance for Industry and Food and Drug Administration Staff “Postmarket Management of Cybersecurity in Medical Devices” December 28, 2016. https://www.fda.gov/media/95862/download
- Guidance for Industry “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software” January 14, 2005. https://www.fda.gov/media/72154/download
- Guidance for Industry and Food and Drug Administration Staff “Content of Premarket Submissions for Device Software Functions” June 14, 2023. https://www.fda.gov/media/153781/download
Photo 154742479 © Pop Nukoonrat | Dreamstime.com