The article provides an overview of the regulatory approach to be applied concerning certain regulatory matters.

FDA Guidance

The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of healthcare products, has published a draft guidance document introducing selected updates for the premarket cybersecurity guidance with particular reference to Section 524B of the FD&C Act.

Once finalized, the guidance will provide additional clarifications regarding the applicable regulatory requirements, as well as recommendations to be taken into consideration by medical device manufacturers and other parties involved to ensure compliance to it.

At the same time, it is essential to mention that provisions of the guidance are non-binding in their legal nature, nor are they intended to introduce new rules or impose new obligations.

Moreover, the authority explicitly states that an alternative approach could be applied, provided such an approach is in line with the existing legal framework. It has been agreed with the authority in advance.

The present version of the document was released for public comment. This document proposes updates to existing premarket cybersecurity guidance to enhance the cybersecurity framework for medical devices.

Recommendations provided in the guidance are vitally important for ensuring that medical devices, referred to as “cyber devices” when they meet specific criteria, comply with any cybersecurity requirements they are subject to.

Regulatory Background and Legal Framework

As stated by the authority, the inception of this guidance is a direct response to the evolving cybersecurity landscape and the statutory requirements introduced by Section 524B of the Food, Drug, and Cosmetic (FD&C) Act, as amended by the Food and Drug Omnibus Reform Act of 2022.

This section requires that submissions for medical devices capable of connecting to the internet, – “cyber devices” – must include comprehensive cybersecurity information to meet defined cybersecurity standards.

FDA on assessing credibility of computational modelling2

Definition and Scope of Cyber Devices

The draft guidance further elaborates on the classification of cyber devices, which encompasses any medical device that includes or is software, can connect to the internet, and possesses characteristics that could make it susceptible to cybersecurity threats.

The FDA leverages definitions from the National Institute for Standards and Technology (NIST) to broaden the scope of what constitutes a cyber device.

This includes traditional computing devices and other medical devices with embedded software, firmware, or the ability to communicate through internet-enabled protocols.

Obligations Under Section 524B of the FD&C Act

By the regulatory requirements, medical device manufacturers and other entities submitting premarket applications for cyber devices must include detailed cybersecurity information.

This requirement ensures that such devices are designed and developed with robust cybersecurity measures to mitigate potential threats and vulnerabilities.

Cyber Devices Subject to Regulatory Scrutiny

The FDA specifies that cyber devices encompass many internet-connected medical devices.
This includes devices with networking capabilities, such as Wi-Fi, Bluetooth, and cellular connections, and those capable of interfacing with network servers, cloud service providers, or utilizing hardware connectors like USB and ethernet ports.

The Agency emphasizes that the ability of a device to connect to the internet, whether intentional or not, necessitates a thorough cybersecurity risk assessment to identify and mitigate potential vulnerabilities.

Proposed Updates to the Premarket Cybersecurity Guidance

The draft guidance proposes significant updates to the existing premarket cybersecurity framework, intending to integrate these changes into the final document.

The FDA seeks public feedback on these updates to refine and enhance the guidelines further.
The proposed updates aim to clarify the expectations for cybersecurity information in premarket submissions, ensuring that devices are adequately protected against cyber threats and vulnerabilities from the design phase through post-market surveillance.

Conclusion

The present FDA draft guidance on cybersecurity in medical devices represents a critical step forward in addressing the cybersecurity challenges faced by the medical device industry.

By outlining the scope of cyber devices and specifying the cybersecurity information required in premarket submissions, the FDA aims to ensure that medical devices are secure, resilient, and capable of protecting patient health while providing the proper level of protection against emerging cyber threats.

Stakeholders are encouraged to review the draft guidance and provide comments to aid in developing a comprehensive and practical cybersecurity framework for medical devices.

How Can RegDesk Help?

RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.