Premarket Risk Management for Medical Device Manufacturers – Then vs Now 

In 2022, the FDA published an overhauled draft guidance on medical device cybersecurity for preparing premarket submissions. When finalized, this draft guidance document will supersede the 2014 version, and many in the medical device community are expecting this guidance document to be mandated in the near future. 

The 2022 draft document was published in response to the ever-evolving cybersecurity threat landscape. The WannaCry Ransomware Attack was specifically cited in the document. However, the cybersecurity landscape as a whole has become much more severe with a number of attacks garnering national and international attention. The need for stronger cybersecurity controls was clear and the FDA responded to it. 

Below is a brief history of the guidance document from 2014 iteration to the present day.  

Medical Device Risk Management – Then vs Now Comparison  

The first premarket submissions guidance document was finalized in 2014, in what was a completely different technological landscape. It is a 9-page foundational document which doesn’t mention testing or SBOMs in any way. The latest draft guidance has evolved significantly and changes the way in which medical device manufacturers undertake premarket submissions. The size of the document has grown from 9 to 49 pages with a much greater focus on testing SBOMs and integrating with an organization’s quality management system.  

Expanded Scope 

One of the most radical changes between the 2014 and 2022 guidance documents is related to its scope. The updated guidance covers all premarket submission styles, as well as devices for which a premarket submission is not required (I.e., for 510(k)-exempt devices). This means that even if your device is exempt from a 510k, it does not mean you are exempt from this guidance.  

There are also changes around design controls. In the past, if your device was a Class 1, you might not have been responsible for design controls. However, that all changed in the updated guidance document.  

Now, if there is software and it is automated, you are responsible for design controls and making sure all controls are properly documented and that you have a cybersecurity quality management system in place. All this means that whether your device is Class 1 or Class 2, 510k required or 510k exempt, the requirements in the new guidance document may still be applicable to you.  

Premarket Risk Management – What Do Medical Device Manufacturers Need to Do Now? 

It is expected that the 2022 draft guidance will formally replace the 2014 guidance document and medical device manufacturers will need to adapt to a much more rigorous way of conducting premarket risk management.  

Below are 5 key changes for medical device manufacturers.  

1/ Threat Modeling Performed Throughout the Design Process 

As part of the risk assessment, FDA recommends threat modeling be performed throughout the design process and be inclusive of all system elements. It is also recommended that premarket submissions include threat modeling documentation.  

FDA recommends that premarket submissions include detailed threat modeling documentation. This is needed to show how risks are assessed and how certain controls are being used to ensure safety and effectiveness.  

There are a number of methodologies and/or combinations of methods for threat modeling that manufacturers may choose to use. Rationale for the methodologies that medical device manufacturers choose should be provided in the threat modeling documentation.  

You can learn more about threat modeling and a simple 4-question framework for implementing it here – ‘Nova Leah’s Introduction to Threat Modeling’. 

2/ Software Bill of Materials Required with Premarket Submissions to Track Third-Party Components and Ensure Transparency 

A Software Bill of Materials (SBOM) is recommended by FDA as a tool to facilitate risk management processes. FDA recommends that premarket submissions include SBOM documentation. If a vulnerability is discovered, an SBOM makes it easier to identify what devices may be affected.  

In the premarket guidance, FDA recommends that premarket submissions include SBOM documentation. 

“A robust SBOM includes both the device manufacturer developed components and third-party components (including purchased/licensed software and open-source software), and the upstream software dependencies that are required/depended upon by proprietary, purchased/licensed, and open-source software. An SBOM helps facilitate risk management processes by providing a mechanism to identify devices that might be affected by vulnerabilities in the software components, both during development (when software is being chosen as a component) and after it has been placed into the market throughout all other phases of a product’s life.” 

What’s Needed in an SBOM? 

Added to what is mentioned above, the following should also be provided in a machine-readable format in premarket submissions.  

                      • The asset(s) where the software component resides;  
                      • The software component name;  
                      • The software component version;
                      • The software component manufacturer;
                      • The software level of support provided through monitoring and maintenance from the software component manufacturer; 
                      • The software component’s end-of-support date;
                      • Any known vulnerabilities. 

SBOMs should be part of a device’s configuration management and regularly updated to reflect any changes to the software. SBOMs are also useful for transparency with users regarding potential risks, as part of device labeling.  

You can learn more about SBOMs in ‘Nova Leah’s Ultimate Guide to SBOMs


3/ Provide Users with More Information Related to Cybersecurity Controls  

Beyond requiring SBOMs, new guidance also puts a lot of emphasis on providing technical information such as manuals that healthcare providers can use to quickly patch devices when problems occur. Device manufacturers should provide users with information to manage risks associated with the device. 

“Manufacturers must put in place processes and controls to ensure that their suppliers conform to the manufacturer’s requirements. Such information is documented in the Design History File, required by 21 CFR 820.30(j), and Design Master Record, required by 21 CFR 820.181. This documentation demonstrates the device’s overall compliance with the QSR, as well as that the third-party components meet specifications established for the device. Security risk assessments that include analyses and considerations of cybersecurity risks that may exist in or be introduced by third-party software and the software supply chain may help demonstrate that manufacturers have adequately ensured such compliance and documented such history.” 

The draft guidance document notes that user manuals that don’t include clear explanations about how to securely configure or update a device may limit an end user’s ability to protect it. 

4/ Provide a List of Unresolved Anomalies  

FDA’s Premarket Software Guidance, recommends that device manufacturers provide a list of software anomalies (e.g., bugs or defects) that exist in a product at the time of submission. For each of these anomalies, FDA recommends that device manufacturers conduct an assessment of the anomaly’s impact on safety and effectiveness. Manufacturers should then consult the Premarket Software Guidance to find out what documentation they should include in the device’s premarket submission. 

                    • Anomalies discovered during development or testing, that are still present in a product at the time of submission must be included in the premarket submission.  
                    • A complete security risk assessment should include an assessment of the potential security impacts that such anomalies may cause with consideration of CWE (Common Weakness Enumeration) categories. 
5/ Include Adequate Security Risk Management Documentation 

To help demonstrate the safety and effectiveness of a device, manufacturers should provide the outputs of their security risk management processes in their premarket submissions. This includes their security risk management plan and security risk management report.  

The security risk management report should: 

                      • A summary of the risk evaluation methods and processes, detailing the security risk assessment, and the risk mitigation activities undertaken as part of a manufacturer’s risk management processes; and 
                      • Traceability between the security risks, controls and the testing reports that ensure the device is reasonably secure. 

Centralized Cybersecurity Risk Management with SelectEvidence™ 

With risk management now playing such a control role in premarket submissions for medical devices, medical device manufacturers should consider integrating with SelectEvidence™. 

SelectEvidence™ is a powerful tool that simplifies and streamlines the risk management process. SelectEvidence™ is an expert cybersecurity risk assessment platform that guides medical device manufacturers through the process of identifying applicable vulnerabilities and identifying the right security controls to mitigate those risks. It provides device manufacturers with an intelligent, automated, and traceable approach to cybersecurity assessments. SelectEvidence™  does this by continually monitoring SBOMs across all connected medical devices.  

To learn more about SelectEvidence™, and its role in medical device risk management, you can organize an obligation-free demo here.    

Photo Credit:
Photos by Annie Spratt on Unsplash
Photo by National Cancer Institute on Unsplash