- The Food and Drug Administration has finalized guidance intended to help device developers comply with recently enacted cybersecurity obligations for premarket submissions.
- In the guidance, the FDA outlines how to use a secure product development framework to manage cybersecurity risks, explaining how the model applies to risk management, security architecture and cybersecurity testing.
- The FDA, which could start refusing filings that lack cybersecurity information on Oct. 1, finalized the guidance after reviewing more than 1,800 comments on a draft it published last year. Based on the feedback, the FDA clarified required documents and interoperability considerations.
Late last year, Congress empowered the FDA to issue “refuse to accept” decisions to applicants that fail to include the information it needs to ensure medical devices meet cybersecurity requirements. The FDA said it “generally intends” not to use that power before Oct. 1. After that, the agency expects sponsors “will have had sufficient time to prepare premarket submissions that contain [the] information required.”
Days before the deadline, the FDA has published final guidance intended to help companies comply with the requirements. The guidance replaces a document released in 2014 and reflects the “rapidly evolving landscape, an increased understanding of emerging threats, and the need for capable deployment of mitigations throughout the total product lifecycle.”
Medical device manufacturers responded favorably to the draft released for consultation last year, with the trade group AdvaMed saying it “provides meaningful and necessary updates” and “generally takes a sensible approach regarding cybersecurity review of medical devices.” The FDA discussed the changes it has made in response to the more than 1,800 comments it received on the draft.
“FDA ... revised the guidance as appropriate in response to the comments, including aligning with industry best practices, as well as further clarifying the level of documentation recommended. Additionally, we have clarified interoperability considerations and that cybersecurity controls should not be intended to prohibit a user from accessing their device data,” the agency wrote.
AdvaMed made two requests for high-level changes, namely for cybersecurity to be risk-based and for the FDA to provide a two-year transition period. The final text features a new section on cybersecurity risk assessment, in which the FDA discusses “methods used for scoring the risk pre- and post-mitigation and the associated acceptance criteria” and related topics.
Neither the final guidance nor the Federal Register post to publicize its availability mentions a change in when the FDA plans to start using its recently gained powers. The FDA set the Oct. 1 start date in March.