FDA seeks feedback on expansion of premarket cybersecurity guidance

Dive Brief:

  • The Food and Drug Administration has requested feedback on plans to add a new section to the premarket cybersecurity guidance finalized last year.
  • Through the planned update, which the FDA released Tuesday, the agency wants to provide information on the requirements that the Food and Drug Omnibus Reform Act of 2022 (FDORA) created for companies seeking authorization of “cyber devices.” The legislation gave the FDA the authority to refuse submissions that lack cybersecurity information.
  • The new draft section explains which devices are covered by the requirements, the documents affected companies should submit and how the FDA interprets the phrase “reasonable assurance of cybersecurity.”

Dive Insight:

The FDA released draft guidance on how cybersecurity affects quality management systems (QMS) and the content of premarket submissions for consultation in April 2022. Later that year, President Joe Biden signed an omnibus spending bill, passing FDORA into law. 

FDORA features a section on ensuring cybersecurity of medical devices but, with work on the QMS and premarket submissions draft already underway, the FDA opted against responding to the requirements in its initial guidance. The agency finalized the document last year and posted a planned, FDORA-focused update to the guidance this week.

The FDA is planning to add a seventh section to the cybersecurity guidance to explain the requirements created by FDORA. As the draft explains, the agency considers the term “cyber device” to cover products that “are or contain” software, can connect to the internet, and have any technological characteristics installed, validated or authorized by the manufacturer that can be vulnerable to threats. The FDA’s definition of “ability to connect to the internet,” a term used in FDORA, covers products with certain features even if the sponsor never intended them to be online.

Elsewhere in the draft, the FDA walks through how companies can address the FDORA requirement for applications to include plans to identify and address cybersecurity vulnerabilities. As well as the actions requested in the existing guidance, the agency is proposing that applicants describe and justify timelines for releasing updates and patches to fix vulnerabilities.

The draft also addresses modifications to cyber devices. Following its least burdensome principles, the FDA is recommending that different information is provided depending on whether the modification is likely to affect cybersecurity or not. The agency lists changes to authentication or encryption algorithms and new connectivity features as modifications that may affect cybersecurity. 

In the final part of the new section, the FDA discusses its interpretation of a FDORA line about providing a “reasonable assurance of cybersecurity.” The agency has concluded cybersecurity can be part of its determination of a device’s safety and effectiveness.

The draft discusses how that conclusion could affect the review of 510(k) submissions using the example of an alarm for a central nursing station software. If the FDA finds the software lacks encryption to protect against a recently identified threat, it may rule that the device has increased risks compared to its predicate and request additional performance data.

The draft is open for comments until May 13.