FDA continues its focus on cybersecurity in medical devices

May 7, 2024

FDA updates premarket submission guidance cybersecurity blog
Share on LinkedIn Share on Facebook Share on X

By Matt Walker, Recall Advisor

In an increasingly digital society, cybersecurity is a concern for all industries. However, for the medical device sector the risks from cyber threats are even greater given that cyberattacks can put patients’ lives at risk. The U.S. Food and Drug Administration (FDA) has made addressing those risks a priority in the past several years as it updates its guidance documents for cybersecurity requirements for medical devices.

Last September, the FDA published its final guidance, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” which offers recommendations for safeguarding medical devices throughout the full product lifecycle. According to the FDA, “these recommendations are intended to promote consistency, facilitate efficient premarket review, and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats.”

The final guidance was already in draft form when the Food and Drug Omnibus Reform Act of 2022 (FDORA) was signed into law. The FDA opted to continue with the existing guidance and address the medical device cybersecurity requirements in FDORA at a later date.

Latest updates

In March 2024, the FDA released its draft guidance, “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act,” to offer clarity to manufacturers around new provisions in the Food, Drug, & Cosmetics (FD&C) Act that were added by the FDORA. The document outlines the cybersecurity information that the FDA considers to “generally be necessary to support obligations under section 524B of the FD&C Act.” The guidelines also state that these obligations apply to any device that meets the definition of a “cyber device” in all premarket applications or submissions under most pathways including 510(k), Premarket Approval Application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE).

The draft guidance also clarifies the definition of a “cyber device” under section 524B. This includes devices that (i) are or contain software; (ii) are able to connect to the internet, whether intentionally or unintentionally; and (iii) contain any such technological characteristics that could be vulnerable to cybersecurity threats.

The FDA provides additional insight into cyber devices that have the ability to connect to the internet. All manufacturers should pay close attention to these requirements because they apply whether the sponsor intends for the device to actually connect to the internet or not.

The proposed updates also provide recommendations for meeting the section 524B requirements related to documentation, modifications, and the reasonable assurance of cybersecurity. Industry stakeholders have until May 13, 2024 to submit comments before the FDA begins work on creating a final version of the guidance document.

Looking ahead

Most manufacturers should already be incorporating most of these practices into their premarket submissions given that the Cybersecurity in Medical Devices final guidance took effect in September 2023. However, the FDA’s recommendations in the updated draft guidance can provide helpful information for manufacturers to ensure they are including all the required components in their FDA documentation.

The medical device industry can expect the FDA to continue prioritizing cybersecurity, especially as more devices become connected and artificial intelligence and machine learning-enabled devices become more prevalent. It is in manufacturers’ and sponsors’ best interest to keep a close eye on new developments and to stay on top of current best practices in cybersecurity. Recall preparation will also remain crucial as connected devices introduce new risks. It will be important for medical device companies to ensure that not only are their premarket submissions compliant with the new rules, but their recall plans are also revised to take any of the new consideration into effect.

Tags: Brand protection, Compliance, cyber, cyber security, cyber threats, FDA, health, Healthcare, manufacturers, Manufacturing, Medical care, Medical devices, medical equipment, medical imaging, medical supplies, Preserving brands