It’s the Law Now – Cybersecurity Information in Premarket Submissions

Does your firm manufacture a “cyber device”?  A recent amendment to the Federal Food, Drug, and Cosmetic Act (FD&C Act) added a new section about cybersecurity for “cyber devices.”  If a device uses software that connects to the internet, it is most likely a cyber device and subject to new section 524B of the FD&C Act, “Ensuring Cybersecurity of Devices.” This provision became effective as of March 29, 2023.  It will become part of the “refuse to accept” (RTA) checklist on October 1, 2023.

FDA’s New Cybersecurity Authority

Over the past years, FDA has been expanding efforts to encourage mitigation of cybersecurity threats to medical device functionality and device users, but the FDA’s recommendations with respect to the cybersecurity of medical devices were not codified into law prior to the enactment of section 524B of the FD&C Act. The primary vehicle for FDA to request cybersecurity information in premarket submissions has been guidance documents.  However, FDA’s legal standing to insist on cybersecurity features, especially within the substantial equivalence paradigm, has been questionable.  Now, with explicit statutory authority, FDA’s push for cybersecurity has a firm legal footing.

Congress has given FDA the authority to require device manufacturers to provide cybersecurity information in their premarket submissions for a “cyber device.”  Section 524B(a) states:

A person who submits an application or submission under section 510(k), 513, 515(c), 515(f), or 520(m) [i.e., 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE)] for a device that meets the definition of a cyber device under this section shall include such information as [FDA] may require to ensure that such cyber device meets the cybersecurity requirements. . . .

Definition of A Cyber Device

Section 524B(c) defines a “cyber device” as a device that—

(1) includes software validated, installed, or authorized by the sponsor as a device or in a device;

(2) has the ability to connect to the internet; and

(3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.

The technological characteristics in this context may cover a wide range of device functions, for instance, monitoring features, stimulation parameters, and communications with healthcare providers.  It applies whether the software is the entire device (i.e., Software as a Medical Device, or SaMD) or the software is embedded in a traditional hardware device (i.e., Software in a Medical Device, or SiMD).

Note that section 3060(a) of the 21st Century Cures Act in 2016 amended section 520 of the FD&C Act and removed certain software functions from the statutory definition of a medical device.  Therefore, a firm should first determine whether its product meets the statutory definition of a medical device.  Of course, if a product does not meet the definition of device, it is not subject to the FD&C Act.  We have recently blogged on this topic (“Is my software a medical device?”).

The new requirements

Section 524B(b) requires sponsors to provide the following information in premarket submissions for cyber devices:

(1) submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;

(2) design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address—

(A) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and

(B) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks; [and]

(3) provide to the Secretary a software bill of materials, including commercial, open-source, and off‑the‑shelf software components.

Timeline

Section 524B became effective on March 29, 2023.  Through a recent (and very short) Guidance document, FDA indicated that, starting on October 1, 2023, FDA may base “refuse to accept” (RTA) decisions on the information required by section 524B.  Until this deadline, FDA generally intends not to issue RTA decisions based solely on the information required by section 524B.  Instead, FDA “intends to work collaboratively with sponsors of such premarket submissions as part of the interactive and/or deficiency review process.” Id. at 2.

Note that FDA does not conduct an RTA acceptance review for submissions submitted via eSTAR.  As of April 17, 2023, the current eSTAR versions indicate: “A guided walk-through of Section 524B of the FD&C Act is not yet available below. It will be provided in a future eSTAR update.  Please refer to the help text in this section for the content that is required according to this statute.”  Users of eSTAR templates need to add attachments for cybersecurity risk management, cybersecurity management plan, continuing support plan, and cybersecurity labeling.  For those who are not familiar with an eSTAR, please refer to our previous posts: here, here, here, and here.

Loose Ends

IDEs.  There is still uncertainty about section 524B and how FDA is going to marry it to existing programs.  For example, what information needs to be provided in investigational device exemption (IDE) applications with respect to cybersecurity?  In the 2022 draft Guidance for Cybersecurity in Medical Devices, FDA recommends only a subset of the documentation be included in IDE applications, including (1) cybersecurity risks as part of Informed Consent Form, (2) global, multi-patient and updateability/patchability views, (3) security use case views for functionality with safety risks (e.g., implant programming), (4) software bill of materials, and (5) general labeling (connectivity and associated general cybersecurity risks, updateability/process).  Since section 524B(b) of the FD&C Act on its face does not apply to IDEs, it would seem that these recommendations are likely to remain unaltered by the new law.  It would be helpful if FDA would clarify its intentions in this regard.

Special 510(k)s.  If a firm wants to add an additional cyber feature to a currently non-cyber device that is already authorized for commercial distribution through 510(k) clearance or a De Novo classification request, the firm needs to determine if the change can be submitted as a Special 510(k).

The Special 510(k) Program Guidance provides an example of a change involving the addition of wireless control capabilities to a bilevel positive airway pressure (BiPAP) device intended to treat patients with obstructive sleep apnea.  The Guidance notes that “[v]erification and validation should be conducted to ensure that the BiPAP has acceptable wireless quality of service, coexistence, cybersecurity, and maintains EMC in its intended environment of use.”  The Guidance concludes that such a change cannot be reviewed in a Special 510(k), because “there are not well-established methods in an FDA-recognized voluntary consensus standard or in the manufacturer’s previous 510(k) that address the methods to evaluate the addition of wireless control for this BiPAP. The test methods vary depending on the wireless quality of service necessary for the device’s intended use and environment of use.”

This example suggests that the prospects are poor for adding cyber features via a Special 510(k).  However, FDA should update the Special 510(k) Program to clarify if and how the information required by section 524B could be submitted for review in a Special 510(k).

510(k) exempt.  It appears from the plain language that section 524B does not apply to 510(k)‑exempt devices.  An interesting question is whether FDA would take the position that converting a device from non‑cyber to cyber would trip such an exemption and require a 510(k) clearance.

What’s next?

Section 524B(b)(4) of the FD&C Act authorizes FDA to issue regulations with additional requirements for cyber devices.  Given FDA’s track record in issuing regulations, it will likely be many years before that happens, if it ever does.

As noted above, FDA published a draft guidance titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” just about a year ago.  Per section 3305(e) of the Omnibus, FDA must provide an updated guidance document by December 2024.  Given that it is on the A-list that FDA intends to publish during FY2023, FDA will likely publish the final guidance in a few months.  We look forward to it.