The new article provides additional details regarding specific aspects associated with cyber devices, such as modifications to it.
Table of content
The Food and Drug Administration (FDA or the Agency), the US regulating authority in healthcare products, has published a draft guidance document introducing selected updates for the premarket cybersecurity guidance with particular reference to Section 524B of the FD&C Act.
Once finalized, the guidance will provide additional clarifications regarding the applicable regulatory requirements and recommendations to be taken into consideration by medical device manufacturers and other parties involved to ensure compliance with it.
At the same time, it is essential to mention that provisions of the guidance are non-binding in their legal nature, nor are they intended to introduce new rules or impose new obligations.
Moreover, the authority explicitly states that an alternative approach could be applied, provided such an approach is in line with the existing legal framework and has been agreed with the authority in advance.
Addressing Modifications in Cyber Devices for Premarket Submissions
The scope of the draft guidance issued by the FDA covers, among other things, the aspects related to the regulatory status of modifications to cyber devices in the context of premarket submissions. In this respect, the document outlines the essential regulatory requirements to consider.
Also, it describes the approach to be followed by the stakeholders to ensure compliance to it.
Overview of Modifications Compliance
Under the new requirements introduced by section 524B of the FD&C Act, any modifications to medical devices that meet the definition of a cyber device necessitate compliance with specified cybersecurity requirements.
This encompasses a broad spectrum of modifications, ranging from changes in device software and connectivity to alterations in the device’s physical components that might indirectly affect its cybersecurity posture.
Types of Modifications and Corresponding Documentation
The document further distinguishes several types of modifications, namely:
- Changes Impacting Cybersecurity
Modifications that could influence the cybersecurity of a device include updates to authentication mechanisms, encryption algorithms, connectivity features, or the software update process. For such changes, manufacturers are advised to refer to Section II.C. for guidance on the necessary documentation to ensure compliance with Section 524B of the FD&C Act. - Changes Unlikely to Impact Cybersecurity
The FDA still requires specific documentation for modifications deemed unlikely to affect the device’s cybersecurity, such as material alterations or changes in sterilization methods.
This includes:
- A plan for cybersecurity management
if not previously provided, or updates to an existing plan.
- A summary of any changes to the cybersecurity management plan and documentation of updates or patches applied to address vulnerabilities since the last submission.
- A summary assessment provides assurance of cybersecurity, detailing any impact from recent modifications, and evaluates identified vulnerabilities.
- An SBOM (described in the previous article) detailing all software components, as required by section 524B(b)(3) of the FD&C Act.
Regarding modifications, the FDA review process will primarily focus on changes that introduce new cybersecurity controls or affect the device’s cybersecurity.
This includes considering all known cybersecurity concerns relevant to the device during premarket reviews to ensure a reasonable cybersecurity assurance.
Ensuring Reasonable Assurance of Cybersecurity
The FDA emphasizes that the overarching goal is to ensure that devices, including those undergoing modifications, maintain a reasonable cybersecurity assurance.
This assurance is integral to the overall safety and effectiveness of the device, reflecting the general commitment to safeguarding public health in an era of increasingly interconnected medical devices.
The authority acknowledges the importance of novel technologies used in medical devices. It aims to establish the proper balance between facilitating the development and use of innovative healthcare products and ensuring the safety of patients.
Evaluating Premarket Submissions with Cybersecurity Considerations
For submissions such as 510(k), the FDA assesses changes in the device’s operating environment, new risks or vulnerabilities introduced by the modifications, and how these changes impact the device’s safety and effectiveness.
The evaluation to be conducted by the FDA can influence the determination of whether a modified device remains substantially equivalent to its predicate.
Conclusion
The present FDA guidance addresses specific aspects of the modifications potentially affecting cybersecurity characteristics of medical devices intended to be marketed and used in the US.
The document outlines the different categories of such changes based on their expected impact and explains the approach depending on this categorization.
How Can RegDesk Help?
RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.
