The U.S. Food and Drug Administration (FDA) recently released draft guidance that includes a proposal to add Section VII. Complies with premarket cybersecurity guidance to support obligations under Section 524B of the Food, Drug, and Cosmetic Act (FD&C Act).
FDA’s draft guidance on Section 524B proposes updates to FDA’s current guidance document, Medical Device Cybersecurity: Quality System Considerations and Content of Premarket Submissions. This document was finalized in September 2023 and replaced FDA’s previous premarket cybersecurity guidance for medical devices issued in 2014. Although the FDA’s latest publication is currently in draft form, it is still helpful to medical device manufacturers, who will look to the FDA as they decide how best to address their cybersecurity compliance in 2024 and beyond. The proposed interpretations and recommendations should be considered.
Highlights of FDA’s draft guidance
Here are some key takeaways from the FDA’s draft guidance.
Devices subject to Section 524B of the FD&C Act
FDA’s draft guidance provides further insight into FDA’s current thinking on what meets the definition of “cyber device” under Section 524B(c) and includes it as part of a premarket submission such as a 510. provides additional guidance regarding required documentation. (k), De Novo, HDE, PMA, or PDP. When submitting a cyber device application, applicants must include “any information FDA may require to confirm that the cyber device meets cybersecurity requirements under Section 524B(b).” there is. Cyber devices refer to medical devices such as:
-
“[I]Contains software that has been verified, installed, or approved on or on the device by Sponsor.
-
“[H]As a function to connect to the Internet, and
-
“[C]Has technical characteristics verified, installed, or authorized by Sponsor that may make it vulnerable to cybersecurity threats. ”
Documents Required for Section 524B Compliance
Applications for premarket approval of cyber devices must be accompanied by documentation that meets the requirements of Section 524B. FDA’s draft guidance provides recommendations for each of his three types of documentation required. Notably, in some cases, the FDA is simply referencing his previous guidance from September 2023. For example, regarding the “planning” requirement under section 524B(b)(1), the draft guidance states: Recommended information for a cybersecurity management plan as described in Section VI.B.Premarket Cybersecurity Guidance [from September 2023]” and also provides additional recommendations.
“Reasonable assurance of cybersecurity” can be part of determining safety and effectiveness
Please note that nothing in Section 524B “shall be construed as affecting”. [the FDA’s] Authority to ensure. . . “The cybersecurity of a particular cyber device is reasonably assured,” the draft guidance states, which the FDA will “interpret.” . . This means that “reasonable assurance of cybersecurity” can be part of FDA’s determination of a device’s safety and effectiveness. ” This highlights the importance of ensuring compliance with Section 524B for manufacturers and sponsors seeking approval of cyber devices.