On April 7, 2022, the U.S. Food and Drug Administration (FDA) announced the release of draft guidance, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” This follows the final premarket cybersecurity guidance published by the agency in 2014, which was updated in a draft guidance in 2018.
Update: The FDA received significant feedback from stakeholders via comments and public workshops, and ultimately determined it was beneficial to develop a new guidance altogether than to update the 2018 version.
What Should Medical Device Sponsors Know?
- “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” draft guidance asks Sponsors to think about cybersecurity in the context of the agency’s Quality System Regulation (QSR) and to consider utilizing Secure Product Development Frameworks (SPDF) to achieve that goal.
- The SPDF encompasses all aspects of a device’s total product lifecycle, including development, release, support and decommission. Additionally, using SPDF processes during device design may prevent the need to re-engineer a device when adding connectivity features after marketing and distribution of said device, or when vulnerabilities resulting in uncontrolled risks are discovered.
- The guidance also recommends threat modeling be performed in the design process. This lays out what hackers might be able to do to target a medical device and what manufacturers intend to do to protect the device (with the assumption that the network is insecure).
The biggest changes from the 2018 version of this guidance to the new draft are as follows:
- The guidance covers all devices that contain software, firmware, programmable logic and Software as a Medical Device (SaMD).
- The FDA has asked Sponsors to provide a Software Bill of Materials (SBOM) instead of a Cybersecurity Bill of Materials (CBOM).
- Removed is the requirement that Sponsors categorize their product into risk tiers; however, much more detail is required in so far as what the documentation must look like in a premarket submission (found throughout the guidance).
- The draft guidance emphasizes transparency by asking manufacturers to provide technical documentation such as manuals that healthcare providers can use to act quickly to patch devices.
While the new draft guidance is voluntary, the FDA does state, “not following the guidance will create greater, probable complexities or potential hardships as far as addressing questions that will come up during the review process. That means potential delays.”
Next Steps
The new draft guidance is open for comment for 90 days, until July 7, 2022. The FDA welcomes continued feedback through public docket (FDA-2021-D-1158 @ www.regulations.gov). Commenters may submit either electronic or written comments by July 7, 2022 to ensure that all comments are considered before it begins work on the final version.
How Can NAMSA Help?
Does your software product meet FDA’s definition of a medical device? At NAMSA, our team of regulatory experts have SaMD, AI/ML and cybersecurity experience with a variety of software devices and can guide you through the challenges of this regulatory environment to get your product to market in a timely manner.
NAMSA is the industry leader in driving successful regulatory outcomes through effective interactions with the FDA. In fact, our internal teams of medical device development experts communicate with the FDA nearly every day. From Pre-Submission meetings – to Pre-IDE preparation – and FDA inspection preparation and SAMD/AI/ML reviews, Cybersecurity our teams are the most experienced in industry at accelerating regulatory submissions and approvals for device manufacturers. This expertise is proven to save medical device organizations up to $17M in costs and 23 months in development timelines.
If you are interested in speaking with us about FDA-related activities or other global regulatory strategies, please contact us at: https://www.namsa.com/contact-us. Or, learn more about our regulatory experts by visiting: https://namsa.com/namsa-expertise/subject-matter-experts/.
Monica R. Montanez
Monica R. Montanez, MS, RAC, CQA currently serves as NAMSA's Principal Strategy Consultant. Monica has over twenty years’ experience in the medical device industry in Regulatory Affairs and Quality Assurance. Her primary focus is navigating the regulatory pathways for electro-mechanical and software driven medical devices worldwide. She has received clearance of many 510(k)s and approval of new indications for PMA device(s) of which 90% involved software. She has broad regulatory expertise in several areas of digital health, including: Software in a Medical Device (SiMD), Software as a Medical Device (SaMD), mobile medical apps, clinical decision support software, telehealth, artificial intelligence, machine learning, interoperability, cybersecurity and human factors engineering, including wireless medical devices -radio frequency (RF), electromagnetic compatibility (EMC) and electromagnetic interference (EMI). While in industry, she assisted in the development of FDA 510(k) guidance and FDA Software guidance directly with FDA. Monica holds a Masters of Science (MS) degree in Regulatory Science (RS) from the University of Southern California (USC) School of Pharmacy. Currently. she holds Regulatory Affairs Certification (RAC) from the Regulatory Affairs Professionals Society (RAPS) and Certified Quality Auditor (CQA) from the American Society for Quality (ASQ).