To improve medical device safety, the HHS Office of the Inspector General (OIG) is recommending that the FDA better integrate cybersecurity criteria into its premarket review process for medical devices.
In its September, 10th report, OIG advised the FDA make three specific improvements related to cybersecurity, all of which the agency says it is currently working to adopt:
- Include cybersecurity documentation as a criterion in its Refuse-to-Accept (RTA) checklist.
- Use presubmission meetings with manufacturers to address cybersecurity-related questions.
- Add cybersecurity questions to its 'Smart' template, which guides FDA's review of medical device submissions.
We've summarized the details of each of these changes to the premarket review process along with general preparation advice for affected device manufacturers.
Free White Paper: The FDA's Registration Process for Medical Devices
Cybersecurity in Refuse-to-Accept (RTA) Checklists
RTA checklists provide a list of items companies must submit at the beginning of the review process in order to be considered for potential clearance or approval.
As stated in the OIG report, "FDA’s ‘Refuse-to-Accept’ checklists, which the agency uses to screen submissions for completeness, do not include checks for cybersecurity information."
In its response to OIG's recommendation, FDA agreed to add a cybersecurity component to this initial consideration criteria, saying, “we believe that including cybersecurity as an item on the list could improve review efficiency by ensuring that the file containing all the necessary elements before the review is initiated rather than asking for such information, if not already in the premarket submission, during the review.”
Also in its response, FDA points out that adding cybersecurity to the RTA won't change what information companies have to ultimately submit. They'll just have to prepare and submit that information sooner.
What it means for medical device companies
The implication for device companies may be easier said than done: All necessary elements of digital security must be prepared up front for initial submission rather than relying on regulators to ask for it later.
While cybersecurity measures that address lifecycle risks and all potential harm from cybersecurity incidents should be implemented and documented during product development — well before they're ever examined by regulators — their inclusion on the RTA checklist means companies may need to alter their device submission processes in order to make that information available and compelling during the initial presubmission stage.
Addressing Cybersecurity During Presubmission Meetings
Federal inspectors also recommend that FDA include cybersecurity discussions in their meetings with companies planning to submit devices for approval.
This, too, was a point of agreement. Regulators indicated they have already taken steps to implement this.
What it means for medical device companies
Device companies should prepare to address detailed cybersecurity questions with special attention given to known vulnerabilities. Affected manufacturers should review the guidance documents pertaining to cybersecurity and understand which vulnerabilities may pertain to their product. They should be prepared to explain, with evidence, how their product is secure. Companies should also have a firm grasp on FDA's approach to cybersecurity and participate in information-sharing organizations where active cybersecurity discussions take place.
The following resources may be helpful.
Guidance Documents:
• Content of Premarket Submissions for Management of Cybersecurity in Medical Devices
• Postmarket Management of Cybersecurity in Medical Devices
• Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software
Presentations:
• HIMSS18 FDA Slide Deck: Managing Medical Device Cybersecurity Vulnerabilities
Organizations:
• Information Sharing and Analysis Organizations (ISAOs)
Other:
• Cybersecurity and the Medical Device Product Development Lifecycle
Adding Cybersecurity Questions to 'Smart' Template
According to OIG's report, "FDA's 'Smart' template, which FDA uses to guide its reviews of submissions, does not prompt FDA reviewers with specific cybersecurity questions that they should consider and also lacked a dedicated section for recording the results of the cybersecurity review.
The report goes on to explain, "The Smart template’s software section referred FDA reviewers to the October 2014 premarket cybersecurity guidance. However, unlike the software section, which included specific software questions, the Smart template does not prompt FDA reviewers with specific cybersecurity questions that they should consider when reviewing submissions. Although a software review may cover some aspects of a cybersecurity review (e.g., review of the device’s software update plan), FDA reviewers may not consider non-software aspects of a networked medical device, such as physically securing the device or limiting functionalities to authorized users."
In its official response, FDA noted that it had added a cybersecurity section to the template in 2016, but intends on further enhancing it, presumably in line with OIG's recommendations. "As the medical device ecosystem continues to mature around device cybersecurity, we anticipate that the Smart template will be iteratively updated to keep pace with the evolution."
What it means for medical device companies
The inclusion of the specific components referenced in the OIG report should be important points of preparation for companies bringing lower-risk devices to market.
The Importance of Hiring an FDA Consultant When Preparing for Device Approval
When preparing to bring a networked medical device, the question, "What is the FDA looking for?" can become a complicated one deserving of a regulatory affairs expert with intimate knowledge of current FDA expectations. By hiring an experienced consultant, you can avoid surprises and anticipate everything with a thorough submission plan guiding you through the entire process. Learn more about our regulatory affairs services and contact us today to start the conversation.