Part 3 of 3: Adapting to New Cybersecurity Requirements for Medical Cyber Devices (+Free Webinar Sign-up) 

On September 26th, 2023, the FDA issued the final guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. This guidance provided recommendations on medical device cybersecurity considerations and what information needs to be included in premarket submissions.

This final guidance supersedes the final guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” issued October 2, 2014. Along with the passing of FDA’s October 1st ‘Refuse-to-Accept- deadline, this final guidance signifies that we have stepped into a new era of medical device cybersecurity.

Key Aspects f The Final Guidance Document

1. What Type of Devices Do These New Rules Apply To?

The guidance document is applicable to devices with cybersecurity considerations, including but not limited to devices that have a device software function or that contain software (including firmware) or programmable logic. The guidance is not limited to devices that are network-enabled or contain other connected capabilities. This guidance describes recommendations regarding the cybersecurity information to be submitted for devices under the following premarket submission types, when submitted to the Center for Devices and Radiological Health (CDRH) or the Center for Biologics Evaluation and Research (CBER):

                          • Premarket Notification (510(k)) submissions;
                          • De Novo requests;
                          • Premarket Approval Applications (PMAs) and PMA supplements;
                          • Product Development Protocols (PDPs);
                          • Investigational Device Exemption (IDE) submissions;
                          • Humanitarian Device Exemption (HDE) submissions;
                          • Biologics License Application (BLA) submissions; and
                          • Investigational New Drug (IND) submissions.

2. Introduction of the Secure Product Development Framework

A Secure Product Development Framework (SPDF) as described in this guidance, is a set of processes that reduce the number and severity of vulnerabilities in products throughout the device lifecycle. Examples of such frameworks exist in many sectors including the medical device sector.

“An SPDF encompasses all aspects of a product’s lifecycle, including design, development, release, support, and decommission. Additionally, using SPDF processes during device design may prevent the need to re-engineer the device when connectivity-based features are added after marketing and distribution, or when vulnerabilities resulting in uncontrolled risks are discovered. An SPDF can be integrated with existing processes for product and software development, risk management, and the quality system at large. Using an SPDF is one approach to help ensure that the Quality System (QS) regulation is met. Because of its benefits in helping comply with the QS regulation and cybersecurity, FDA encourages manufacturers to use an SPDF, but other approaches might also satisfy the QS regulation.”

3. Recommendations for Implementation of Cybersecurity Transparency

A lack of cybersecurity information, such as information necessary to integrate the device into the use environment, as well as information needed by users to maintain the medical device system’s cybersecurity over the device lifecycle, has the potential to affect the safety and effectiveness of a device. In order to address these concerns, it is important for device users to have access to information pertaining to the device’s cybersecurity controls, potential risks to the medical device system, and other relevant information.

For example:

                        • A failure to disclose all of the communication interfaces or third party software could fail to convey potential sources of risks;
                        • Insufficient information pertaining to whether a device has known but not disclosed cybersecurity vulnerabilities or risks maybe relevant to determining whether a device’s safety or effectiveness could be degraded; and/or
                        • Labeling that does not include sufficient information to explain how to securely configure or update the device may limit the ability of end users to appropriately manage and protect the medical device system.

Navigating The New Cybersecurity Landscape

For medical device manufacturers, the new cybersecurity legislative requirements demand a whole new way of thing. No longer can be cybersecurity and risk management only be considered as an afterthought. It needs to be baked into the entire product development lifecycle.

Medical device manufacturers that are looking to meet the requirements of the new regulatory landscape, we got you covered.

Join our FREE webinar where experts will delve into the intricacies of compliance and cybersecurity, providing valuable insights into best practices for designing, developing, and maintaining cybersecure medical devices. Don’t miss this chance to enhance compliance, cybersecurity practices within your organization and bring more secure devices to market.

Register for Our Free Webinar Today

On Monday, October 30, 2023 11AM EDT, Nova Leah, together with Bluebridge Technologies,will be hosting a free webinar titled:

‘Navigating FDA’s New Cyber Device Paradigm – Cybersecurity And Compliance, Sharing Industry Best Practices’

The FREE webinar will include:

                      • 3 industry experts delving into the intricacies of compliance and cybersecurity in the medical device industry.
                      • Best practices for designing, developing, and maintaining cyber secure medical devices in an all new medical cyber device regulatory environment.
                      • A run through the essentials of the new FDA cyber device criteria and its impact on your software/system development procedures and maintenance lifecycle. 
                      • Expert Q&A.

Learn more about the speakers and register for the free webinar by using the button below.

We hope to see you there.

Register for Free