October 2, 2018
To improve medical device safety, the HHS Office of the Inspector General (OIG) is recommending that the FDA better integrate cybersecurity criteria into its premarket review process for medical devices.
In its September, 10th report, OIG advised the FDA make three specific improvements related to cybersecurity, all of which the agency says it is currently working to adopt:
We've summarized the details of each of these changes to the premarket review process along with general preparation advice for affected device manufacturers.
Free White Paper: The FDA's Registration Process for Medical Devices
RTA checklists provide a list of items companies must submit at the beginning of the review process in order to be considered for potential clearance or approval.
As stated in the OIG report, "FDA’s ‘Refuse-to-Accept’ checklists, which the agency uses to screen submissions for completeness, do not include checks for cybersecurity information."
In its response to OIG's recommendation, FDA agreed to add a cybersecurity component to this initial consideration criteria, saying, “we believe that including cybersecurity as an item on the list could improve review efficiency by ensuring that the file containing all the necessary elements before the review is initiated rather than asking for such information, if not already in the premarket submission, during the review.”
Also in its response, FDA points out that adding cybersecurity to the RTA won't change what information companies have to ultimately submit. They'll just have to prepare and submit that information sooner.
The implication for device companies may be easier said than done: All necessary elements of digital security must be prepared up front for initial submission rather than relying on regulators to ask for it later.
While cybersecurity measures that address lifecycle risks and all potential harm from cybersecurity incidents should be implemented and documented during product development –– well before they're ever examined by regulators –– their inclusion on the RTA checklist means companies may need to alter their device submission processes in order to make that information available and compelling during the initial presubmission stage.
Learn how our large staff of regulatory affairs experts can assist in getting your product approved on time and on budget by carefully developing due diligence strategies and managing the entire registration process ⟶
Federal inspectors also recommend that FDA include cybersecurity discussions in their meetings with companies planning to submit devices for approval.
This, too, was a point of agreement. Regulators indicated they have already taken steps to implement this.
Device companies should prepare to address detailed cybersecurity questions with special attention given to known vulnerabilities. Affected manufacturers should review the guidance documents pertaining to cybersecurity and understand which vulernabilies may pertain to their product. They should be prepared to explain, with evidence, how their product is secure. Companies should also have a firm grasp on FDA's approach to cybersecurity and participate in information-sharing organizations where active cybersecurity discussions take place.
The following resources may be helpful.
• Content of Premarket Submissions for Management of Cybersecurity in Medical Devices
• Postmarket Management of Cybersecurity in Medical Devices
• Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software
According to OIG's report, "FDA's 'Smart' template, which FDA uses to guide its reviews of submissions, does not prompt FDA reviewers with specific cybersecurity questions that they should consider and also lacked a dedicated section for recording the results of the cybersecurity review.
The report goes on to explain, "The Smart template’s software section referred FDA reviewers to the October 2014 premarket cybersecurity guidance. However, unlike the software section, which included specific software questions, the Smart template does not prompt FDA reviewers with specific cybersecurity questions that they should consider when reviewing submissions. Although a software review may cover some aspects of a cybersecurity review (e.g., review of the device’s software update plan), FDA reviewers may not consider non-software aspects of a networked medical device, such as physically securing the device or limiting functionalities to authorized users."
In its official response, FDA noted that it had added a cybersecurity section to the template in 2016, but intends on further enhancing it, presumably in line with OIG's recommendations. "As the medical device ecosystem continues to mature around device cybersecurity, we anticipate that the Smart template will be iteratively updated to keep pace with the evolution."
The inclusion of the specific components referenced in the OIG report should be important points of preparation for companies bringing lower-risk devices to market.
When preparing to bring a networked medical device, the question, "What is the FDA looking for?" can become a complicated one deserving of a regulatory affairs expert with intimate knowledge of current FDA expectations. By hiring an experienced consultant, you can avoid surprises and anticipate everything with a thorough submission plan guiding you through the entire process. Learn more about our reguatory affairs services and contact us today to start the conversation.
Proprietary talent selection of former FDA and industry professionals amplified by a corporate culture of responsiveness and execution.
290 Turnpike Road, Suite 200
Westborough, MA 01581
US Toll-Free: 1-833-FDA-GROUP
International: +001 508 926 8330