Over the past decade, the FDA has steadily increased the degree of scrutiny applied to cybersecurity aspects of submissions. From the guidance issued on this topic in 2014, followed by extensive additions on the 2018 guidance and most recently the 2022 guidance, the FDA has made it clear that cybersecurity management needs to be carefully considered within 510(k) applications. In the latest update that has become effective as of March 29, 2023, the FDA now reserves the right to refuse your 510(k) application due to cybersecurity deficiencies under certain circumstances.
#1 : The application does not include an adequate plan to address post market cyber security vulnerabilities in a reasonable time. A plan like this would include how such vulnerabilities are identified, monitored and disclosed.
#2: The application does not contain evidence that the medical device design and development has followed processes and procedures that provide reasonable assurance that the device is cyber secure.
#3: The medical device within the application does not have the means to be updated postmarket to address discovered cyber security threats. These updates would be required either on a reasonably justified regular cycle or possibly out of cycle to address a critical vulnerability.
#4: The application does not contain an appropriate software bill of materials that includes any open source software as well as commercial software used within the medical device.
#5: The application does not comply with any additional requirements that the FDA may impose through regulation to demonstrate with reasonable assurance that the medical device is cybersecure.
Ultimately, if your medical device has software and has connectivity to the Internet, it has now become a prime target for outright refusal of a 510(k) submission for lack of adherence to the rapidly evolving FDA regulations in this area. Driven mainly by new laws as a result of the Consolidated Appropriations Act of 2023, specifically section 3305 titled “Ensuring Cybersecurity of Medical Devices” and subsequent amendments to the Federal Food, Drug and Cosmetic Act (FD&C Act) section 524B, these new cybersecurity regulations need to be seriously considered in any 510(k) submission to avoid costly delays.
At Bold Type we have always taken cyber security concerns seriously and incorporated extensive measures to address these concerns as part of our ISO 13485 compliant processes and procedures. We have been prepared for the inevitable and well deserved increase in 510(k) scrutiny over cybersecurity threats, fundamentally addressing such concerns in our software architectures as well as within our 510(k) submissions. For us, cybersecurity of connected Medical devices is foundational which is why we make sure we are well positioned to comply with the evolving FDA regulations in this space.
When it comes to safeguarding your connected Medical Devices to ensure a smooth FDA submission and avoid costly mistakes, Bold Type is the team to rely on. Contact us today.
Reference: Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems UnderSection 524B of the FD&C Act, March 30, 2023 https://www.fda.gov/media/166614/download