The FDA’s most recent final guidance for medical device cybersecurity represents a significant shift in the agency’s perspectives regarding cybersecurity, which is part of a broader emphasis on cybersecurity across the federal government. One of the most critical aspects of the guidance is that cybersecurity is now a part of the FDA’s quality management system requirements, which gives the agency a wider range of opportunities to oversee the manufacturer’s cybersecurity preparations.
Cybersecurity has emerged as an essential overall national security issue of tremendous importance, so much so that the FDA has developed a cybersecurity action plan for internal use. Among the benefits of this plan are assurances that the FDA website will be resistant to cybersecurity and that electronic applications filed with the agency will be secure from cybersecurity threats.
The Biden administration has developed a national cybersecurity action plan that serves to emphasize a government-wide focus on cybersecurity, a focus that has made itself felt across the executive branch. For instance, the Securities and Exchange Commission has developed a policy which governs reporting of cybersecurity breaches for publicly traded companies, presenting a non-FDA avenue of enforcement risk for medical device companies.
The FDA guidance for cybersecurity premarket submissions incorporates cybersecurity requirements for cloud computing and artificial intelligence, two areas of vulnerability that were not represented in the agency’s previous final guidance. The inclusion of cybersecurity as a component of the Quality System Regulation (QSR) may be the most immediately impactful aspect of the guidance, as the fulfillment of those requirements must be documented in premarket submissions to the agency. Premarket submissions must describe the design of cybersecurity features as well as the validation of those design elements, but perhaps more importantly, manufacturers will be required to develop procedures specifically for these activities.
These requirements may be fulfilled using a Secure Product Development Framework (SPDF), which is a set of processes that are used to identify and reduce both the number and the severity of vulnerabilities in medical device software. An SPDF should describe cybersecurity activities across the product’s lifecycle, but when properly established, may allow the manufacturer to add functions such as connectivity without the need to re-engineer the device.
The guidance requires that manufacturers develop a software bill of materials (SBOM), which is also listed as a component of the Biden administration’s national strategy for cybersecurity. The FDA requires that the SBOM include a list of all known vulnerabilities and documentation that those vulnerabilities have been controlled. Also required is documentation of support that will be provided through monitoring and maintenance of the software, and information on the software’s end-of-support date.
The manufacturer’s responsibilities include control of cybersecurity risk associated with the use of third-party components, including off-the-shelf (OTS) and open-source software. The risk management process for the overall product should take these components into account, and the manufacturer must develop processes and procedures to ensure that these third-party products conform to the manufacturer's requirements for that device.
This guidance was in effect upon the date of issuance, Sept. 27, 2023, although the FDA stated that it would work with the sponsors of any applications that had already been filed as of that date. Applications filed after that date will be subject to the agency’s refuse-to-accept policy if the cybersecurity requirements found in this guidance are not fulfilled.
Copyright © 2024 - Medmarc