The Food and Drug Administration (“FDA”) has issued final guidance to advice developers on their compliance obligations for premarket submissions. To view the FDA’s finalized document, please click here: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (fda.gov). The guidance issued by the FDA supersedes the earlier draft guidance issued on April 8, 2022 as well as the “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” issued October 2, 2014.
The guidance describes recommendations regarding the cybersecurity information to be submitted for the following:
- Premarket notification (510(k)) submissions;
- De Novo requests;
- Premarket Approval Applications (PMAs) and PMA supplements;
- Product Development Protocols (PDPs)
- Investigational Device Exemption (IDE) submissions;
- Humanitarian Device Exemption (HDE) submissions;
- Biologics License Application (BLA) submissions; and
- Investigational New Drug (IND) submissions.
The FDA states in its release that “this guidance applies to all type of devices within the meaning of section 201(h) of the Federal Food, Drug, and Cosmetic Act (“FD&C Act”), including devices that meet the definition of a biological product under section 351 of the Public Health Services Act, whether or not they require a premarket submission.” In addition, the FDA says that the guidance applies “to devices for which a premarket submission is not required (e.g. for 510(k) exempt devices)” as well as “cyber devices as defined in section 524B of the FD & C Act.” Finally, the FDA states that the guidance applies to the device portion of a combination product “when the device constituent part presents cybersecurity considerations, including but not limited to devices that have a device software function or that contain software (including firmware) or programmable logic.” Although the FDA indicates in the release that the guidance should not be construed as “legally enforceable responsibilities,” the FDA advises that the guidance represents its “recommendations” on the topic of cybersecurity.
What exactly recommendations exactly does the FDA make in this guidance?
First of all, the FDA recommends that device manufacturers follow the quality system requirements found in the QS regulation in 21 CFR Part 820, which may include establishing cybersecurity risk management and validation processes where appropriate in accordance with FDA’s guidance “Content of Premarket Submissions for Device Software Functions.” The FDA says that healthcare facilities may manage devices within their own frameworks such as the National Institute of Standards Technology (“NIST”) cybersecurity framework. The FDA also points to the following frameworks to consider: the Medical Device and Health IT Joint Security Plan, which is available at https://healthsectorcouncil.org/the joint-security plan; IEC 81001-5-1; and ANSI, ISA 62442-4-1.
Second of all, the FDA recommends that device manufacturers implement security controls, which include authentication; authorization, cryptography, code, data and execution integrity; confidentiality; event detection and logging; resilience and recovery, updatability and finally, patchability.
Third, the FDA recommends that the manufacturers must establish and maintain procedures for verifying the device design, which verification must confirm that the design output meets the design input requirements. The FDA again points to 21 CFR 820.30 for guidance on the procedures for verification.
Fourth, the FDA recommends transparency in advising users of relevant security risks through labeling, and provides specific examples of information to include in labeling. The FDA points to IEC TR 80001-2-2 and IEC TR 80001-2-9 for further guidance on labeling to comply with the standards.
Fifth, the FDA recommends that manufacturers establish a plan for how to identify and communicate to users vulnerabilities identified after releasing the device in accordance with 21 CFR 820.100, which plan can also support security risk management processes described in the QS regulation. The FDA states that these plans should include the following elements:
- Personnel responsible;
- Sources, methods, and frequency for monitoring and identifying vulnerabilities (e.g. researchers, NIST vulnerability database (NIST NVD), third party manufacturers;
- Identify and address vulnerabilities identified in “CISA’s Known Exploited Vulnerabilities Catalog” available at https://www.cisa.gov/known-exploited-vulnerabilities-catalog;
- Periodic security testing;
- Timeline to develop and release patches;
- Update processes;
- Patching capability (i.e. rate at which update can be delivered to devices);
- Description of their coordinated vulnerability disclosure process; and
- Description of how the manufacturer intends to communicate forthcoming remediations, patches, and updates to customers.
The FDA points to its “Postmarket Cybersecurity Guidance” for additional recommendations on plans.
Digital health companies should definitely take the time to review and familiarize themselves with the new guidance, as it is likely that health care customers will be expecting compliance with this new guidance going forward, regardless of whether or not digital health companies’ products are actually subject to FDA regulation. Even though this guidance constitutes merely a recommendation to those digital health companies which are subject to FDA regulation, it provides specific minimum recommendations that health care customers will likely expect their providers to be compliant with going forward.