Can a Device Be Found Not Substantially Equivalent Because of Cybersecurity Risks? A Review of FDA’s Draft Guidance on Cybersecurity in Medical Devices

FDA recently issued a draft guidance which would update the agency’s Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions guidance.  The draft guidance provides recommendations on what is required to meet cybersecurity obligations under section 524B of the Food, Drug and Cosmetic Act (FD&C). Once finalized, the content from the draft guidance will be included within the existing cybersecurity premarket guidance.

Cyber devices as defined in Section 524B(c) of the FD&C Act are devices that “(1) include[] software validated, installed, or authorized by the sponsor as a device or in a device; (2) [have] the ability to connect to the internet; and (3) contain[] any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.”  FDA interprets the “software” definition to include software that is firmware or programmable logic in addition to software in a medical device (SiMD) or software as a medical device (SaMD). FDA interprets the “ability to connect to the internet” to include devices that can connect to the internet by any means whether the sponsor intends the device to be connected or not.

For medical devices that meet the definition of a cyber device, manufacturers are required to submit specific information in premarket submissions.  Manufacturers are required to design, develop, and provide a “reasonable assurance” that both the cyber device and related systems (e.g., update servers, network connections, cloud, etc.) are cybersecure. In addition, manufacturers need to submit plans for monitoring, identifying, and addressing post market cybersecurity vulnerabilities.  Consistent with the existing premarket cybersecurity guidance, FDA recommends submitting a Cybersecurity Management Plan that should also include disclosing vulnerabilities to device users and other relevant stakeholders “in a reasonable time”.  The plan should include the frequency at which cybersecurity will be re-evaluated and the frequency at which the manufacturer will deploy patches and updates to the end users. Section 524B(b)(2) requires manufacturers of cyber devices to make updates and patches for known unacceptable vulnerabilities “on a reasonably justified regular cycle” and to make updates and patches to address out of cycle, critical vulnerabilities that could cause uncontrolled risks “as soon as possible”. The guidance does not define “on a reasonably justified regular cycle” or “as soon as possible” but instead recommends manufacturers should “update appropriate cybersecurity documentation (e.g., threat modeling)” throughout the device lifecycle as a way to “quickly identify” vulnerabilities and satisfy the patching requirements in the FD&C Act.

Manufacturers that make modifications to an existing device will also need to submit the required information in a premarket submission. In determining what information to submit, the manufacturer should assess whether the change impacts the cybersecurity of the device. FDA provides examples of changes that are likely and unlikely to impact cybersecurity of an existing device.  Even for changes that are unlikely to impact the cybersecurity of the device, such as material changes, sterilization method changes, or changes to an algorithm without changing the architecture/software structure or connectivity, FDA recommends that the following information be submitted:

• Software Bill of Materials (SBOM),
• Summary of any cybersecurity impact since the last authorization,
• Summary of any vulnerabilities identified since the last authorization,
• Description of any limitations to updating the cybersecurity of the device and related systems which should include an assessment of residual cybersecurity risks and benefit risk analysis, and
• Cybersecurity Management Plan or if one was previously submitted, a summary of any changes to the plan and summary of patches or updates made to the device since the last authorization to increase cybersecurity.

As part of the premarket submission review, FDA will assess whether there is a “reasonable assurance of cybersecurity.”  In making this determination, FDA will consider changes in the environment of use, new risks or vulnerabilities in technological characteristics as compared to the predicate device, and how the performance testing submitted addresses new risks and vulnerabilities. Although a “reasonable assurance of cybersecurity” is not explicitly defined, FDA points manufacturers back to the existing cybersecurity guidance (i.e., Appendix 4) for the documentation requirements to “demonstrate reasonable assurance that the device and related systems are cybersecure”.

The draft guidance also notes that FDA may find a proposed device “not substantially equivalent (NSE)” to a predicate device if the proposed device has increased cybersecurity risks that “could negatively impact the safety and effectiveness of the device.”  In the example provided in the draft guidance, the increased cybersecurity risk could be related to a lack of “necessary encryption to protect against a recently identified cyber threat” for which the proposed device is not protected.  The sponsor of the proposed device will be expected to provide performance data to support the cybersecurity of the device against the newly identified threat, and if the data are inadequate, FDA could find the device NSE.

The problem with this expectation, however, is that it is possible, and even likely, that the predicate device, especially as it was cleared, is also not protected against this newly identified threat.  As is often the case when there are advances in technology and understanding of risks, new devices may be held to a higher standard than those to which they are claiming equivalence.  Particularly in the context of a 510(k), it may be difficult for FDA to enforce this expectation if it is not also required of the predicate if there was no public notice to industry of the newly identified threat.  Doing so may be inconsistent with the least burdensome requirement as well as the concept of substantial equivalence.

Given the implications of receiving an NSE for cybersecurity alone, manufacturers and interested parties can still provide comments online regarding the draft guidance until May 13, 2024.