Blog

Anyone submitting a premarket application or submission for a device classified as a “cyber device” must include information required by the FDA to ensure the device meets cybersecurity requirements specified in section 524B(b) of the FD&C Act.

This applies to submissions types such as

• 510(k), premarket approval application (PMA)
• Product Development Protocol (PDP)
• De Novo Classification requests
• Humanitarian Device Exemption (HDE).

What is a Cyber Device?

According to Section 524B(c) of the FD&C Act defines “cyber device” is a device that

• includes software validated, installed, or authorized by the sponsor as a device or in a device,
• has the ability to connect to the internet, and
• contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats. If manufacturers are unsure as to whether their device is a cyber-device, they may contact the FDA.

Requirements apply to manufacturers of cyber devices under section 524B of the FD&C Act

Section 524B(a) of the FD&C Act mandates that the sponsor of a premarket submission for a cyber-device must include information demonstrating that the device meets the cybersecurity requirements outlined in section 524B(b) of the FD&C Act. The requirements in section 524B(b) are:

• Submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, post market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
• Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cyber secure, and make available post market updates and patches to the device and related systems; and
• Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components

The cybersecurity requirements do not apply to applications or submissions submitted to the FDA before March 29, 2023. If a cyber-device, previously authorized, undergoes a change that requires premarket review by the FDA, the new cybersecurity requirements will apply to the new premarket submission.

Cybersecurity Guidelines for Medical Devices

The 2023 guidance “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” provides recommendations on cybersecurity considerations for devices and documentation in device premarket submissions that may help manufacturers meet their obligations with the 524B requirements.

General Principles of FDA’s Medical Device Security Guidelines

Here is an outline of the general principles covered by the new guidelines.

• Cybersecurity is Part of Device Safety and the Quality System Regulation

Device manufacturers must follow quality systems as specified in 21 CFR Part 820 to ensure their products meet all requirements. These quality systems may apply at both the premarket and post market stages, depending on the device.

A Secure Product Development Framework (SPDF) can be used to fulfill aspects of QS Regulation.

• Designing for Security

The FDA evaluates a device’s cybersecurity in premarket submissions based on its ability to meet security objectives, including authenticity, authorization, availability, confidentiality, and secure, timely updatability and patchability.

• Transparency

Transparency in cybersecurity is crucial for the safe use of medical devices. Manufacturers must inform users about the device’s cybersecurity controls, potential risks, and other relevant details.

• Submission Documentation

The level of cybersecurity documentation in premarket submissions depends on the device’s cybersecurity risk. Manufacturers should consider the broader system and provide documentation demonstrating reasonable assurance of safety and effectiveness, reflecting comprehensive design controls and cybersecurity risk assessments.

Design and Documentation Recommendations

Design Recommendations

Effective cybersecurity relies on implementing robust security controls within the device design. These controls should address critical security objectives, including authentication, authorization, cryptography, data integrity, confidentiality, event detection, and logging.

Documentation Recommendations

Using an SPDF to Manage Cybersecurity Risks

The following sections offer recommendations for using SPDF processes:

Security Risk Management

Incorporating cybersecurity into Risk Management involves several steps to ensure a comprehensive and effective approach to addressing cybersecurity risk:

• Threat Modeling

Threat modeling helps identify and address potential cybersecurity threats in medical device systems by understanding security risks and vulnerabilities and defining countermeasures to mitigate them.

Cybersecurity Risk Assessment

Cybersecurity risk management ensures devices are designed with security to mitigate threats. Manufacturers should integrate security risk management throughout the Total Product Life Cycle (TPLC) within their quality system.

• Interoperability Considerations

Interoperability between medical devices and other systems adds to cybersecurity considerations. Manufacturers must assess and control cybersecurity risks associated with interoperable functionality, including connections with other medical devices, healthcare infrastructure, and computing platforms. Implementing cybersecurity controls should ensure safe information exchange without overly complicating device interoperability.

• Third-Party Software Components

The use of third-party software in medical devices requires thorough cybersecurity risk assessment and management.

• Security Assessment of Unresolved Anomalies

Manufacturers should evaluate the security implications of software anomalies or vulnerabilities found during development or testing, assess their impact on device safety and effectiveness, and implement appropriate control measures.

• TPLC Security Risk Management

Manufacturers should manage cybersecurity risks throughout the device’s lifecycle, updating security risk management documentation as new information emerges to ensure ongoing safety and effectiveness against evolving threats.

Software Bill of Materials (SBOM)

An SBOM is essential for managing cybersecurity risks in medical devices by listing all software components and their dependencies, including third-party and open-source software. It helps identify vulnerabilities in these components. The FDA requires SBOM documentation in premarket submissions to evaluate device cybersecurity risks.

Cybersecurity Testing

Rigorous security testing is a critical component of the FDA’s cybersecurity guidelines. Manufacturers must extensively validate the effectiveness of security controls, ensuring devices are resilient against both known and potential cybersecurity threats.

Cybersecurity Transparency

Transparency is crucial for users to manage security risks in medical device systems, either individually or within larger risk management frameworks like the NIST CSF. Transparency can be ensured through device labeling and manufacturer vulnerability management plans. However, the ability to mitigate risks may vary among different user types (e.g., manufacturers, servicers, patients), and actions to ensure cybersecurity should be appropriate for each user type.

Labeling Recommendations

The FDA has specific requirements for device labeling and end-user documentation, clearly outlining the end user’s responsibilities to ensure the medical device remains secure throughout its lifetime.

Cybersecurity Management Plans

The FDA recommends that manufacturers include their cybersecurity management plans in their premarket submissions. This allows the FDA to assess whether the manufacturer has adequately addressed how to maintain the device’s safety and effectiveness after marketing authorization is achieved.

Updated Guidance on Cybersecurity of Medical Devices

On March 13, 2024, the FDA issued the draft, Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act to the final guidance titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions”. The draft guidance proposes updated recommendations on cybersecurity for cyber devices and guidance on documentation for premarket submissions.

Conclusion

The FDA has implemented new cybersecurity requirements for medical cyber devices, which manufacturers must comply with to avoid rejection of their device submissions. These requirements include monitoring and addressing cybersecurity vulnerabilities, providing regular updates and patches, and submitting a machine-readable software bill of materials detailing all software components. Compliance with these guidelines is essential to protect against cyber threats and ensure acceptance of device submissions by the FDA.

For further information regarding the cybersecurity regulations for medical devices in the United States, including the requirements mandated on manufacturers under section 524B of the FD&C Act, please reach out to our team of experts at DDi.