Cybersecurity continues to evolve throughout all facets of the business world, and the medical device industry has taken notice. FDA has published several guidance documents in recent years addressing the substantial threats posed by inadequate cybersecurity and the drastic consequences it can have on medical device manufacturers. Please see our previous blog titled New Medical Device Cybersecurity Regulation. In March 2024, FDA issued additional draft guidance titled “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act”. This new guidance document provides specific updates to previous guidance issued last year titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” (“Premarket Cybersecurity Guidance”). FDA intends to incorporate the updates proposed in this new draft guidance into the Premarket Cybersecurity Guidance as one final guidance document after obtaining and considering public comment on these proposed select updates.
The select updates to the cybersecurity guidance cover the following topics:
- Who is Required to Comply with Section 524B of the FD&C Act
- Devices Subject to Section 524B of the FD&C Act
- Documentation Recommendations to Comply with 524B of the FD&C Act
- Plans and procedures to “monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures”
- Design, Develop, and Maintain Processes and Procedures to Provide a Reasonable Assurance of Cybersecurity
- Software Bill of Materials
- Device Modifications
Section 524B(c) of the FD&C Act defines a “cyber device” as a device that “(1) includes software validated, installed, or authorized by the sponsor as a device or in a device; (2) has the ability to connect to the internet; and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.” It is essential for companies to assess whether their devices meet the criteria of a “cyber device” and to incorporate within their premarket applications all of the cybersecurity-related information laid out by FDA in its guidance documents. An inadequate understanding of these requirements and/or failure to effectively and efficiently implement such requirements could lead to an extended FDA review process and, consequently, delays in device approvals.
See link below to the latest guidance document - Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act
Are you interested in learning more?
