FDA finalizes advice on cybersecurity info to include in device submissions Hogan Lovells Engage

p pp pp pp ppThe US Food and Drug Administration FDA has finalized its guidance on Cybersecurity in Medical Devices Quality System Considerations and Content of Premarket Submissions which advises medical device manufacturers on how to tighten cybersecurity measures in response to rapidly evolving online threats to both patients and hospitals Notably the finalized version of the guidance differs from the draft issued last year in its addition of PATCH Act language information regarding interoperability considerations and advice on how device cybersecurity design and documentation should be scaled with the cybersecurity risk of that device We analyze these and other changes to the guidance below As FDA will soon begin issuing refuse to accept decisions to applicants that fail to include proper cybersecurity information in premarket submissions to the agency medical device manufacturers should analyze and understand their obligations under the guidanceppFDAs new final guidance replaces the April 2022 draft guidance of the same name which we analyzed online here and it also supersedes FDAs 2014 final guidance Content of Premarket Submissions for Management of Cybersecurity in Medical Devices There were more than 1800 public comments on the draft version of the guidance which FDA was required to finalize by the end of September 2023 In announcing release of the final guidance the agency emphasized how the increased integration of wireless devices electronic exchange of medical devicerelated information and cybersecurity vulnerabilities and incidents highlight the importance of having stronger cybersecurity measures The final version of the guidance mirrors closely the draft version with the exceptions outlined below and implements many of the documentation expectations that FDA has been requesting over the last yearppThe Protecting and Transforming Cyber Health Care Act of 2022 PATCH Act was signed into law on December 29 2022 as a part of the 2023 Consolidated Appropriations Act CAA The PATCH Acts text can be found in Section 3305 of the CAA Ensuring Cybersecurity of Medical Devices which amended the Federal Food Drug and Cosmetic Act FDCA by adding section 524B Ensuring Cybersecurity of Devices Effective March 29 of this year the law empowered FDA to issue refuse to accept RTA decisions to applicants that fail to include the information it needs to ensure medical devices meet cybersecurity requirements However FDA indicated in March that it did not plan to exercise its new authority until October of this yearppPrimarily the finalized guidance differs from the draft version of the guidance in its references to helping manufacturers of cyber devices meet their obligations under section 524B of the FDCA Section 524Bc of the FDCA defines cyber device as a device that 1 includes software validated installed or  authorized by the sponsor as a device or in a device 2 has the ability to connect to the internet and 3 contains any such technological characteristics validated installed or authorized by the sponsor that could be vulnerable to cybersecurity threatsppMost significantly novel in the final guidance is the addition of Appendix 4 General Premarket Submission Documentation Elements and Scaling with Risk which summarizes the specific documentation elements identified throughout the cybersecurity guidance for premarket submissions the associated sections of the guidance for the document and whether the documentation is recommended for IDE submissions It notes that device cybersecurity design and documentation are expected to scale with the cybersecurity risk of that deviceppFor example a device with either only one hardware connection eg USB port or a SaMD product with limited other software dependencies and connectivity will likely only need to have single architecture view for each of the global system multipatient harm and updateabilitypatchability views because the security use case views will likely be limited to a smaller subset of unique views to address the available connectivity and software However for a device with greater complexities such as wireless connections multiple architecture views may be needed for the multipatient harm and updateabilitypatchability views as there may be multiple ways to cause multipatient harm or update elements of the deviceppThe final version guidance adds a section on interoperability emphasizing how it is an important consideration when assessing the cybersecurity of the endtoend medical device system The final guidance says that when properly implemented the cybersecurity controls can help assure that these interoperability capabilities remain safe and effective Indeed in the notice announcing the final guidance FDA touts how the final guidance clarified interoperability considerations and that cybersecurity controls should not be intended to prohibit a user from accessing their device datappPreviously limited in its draft guidance discussion to callflow diagrams the final guidance expands to recommend that manufacturers provide diagrams used more generally to help describe the medical device system architecture interfaces communication protocols threats and cybersecurity controls used throughout the system FDA adds Different diagramming methods can be used to describe the architecture including data flow diagrams state diagrams swimlane diagrams and callflow diagrams among othersppThe following minor changes were also made between the draft and final versions of the guidanceppNew terms To keep pace with the evolving cybersecurity regulatory landscape FDA added definitions of the following terms to the guidance anomaly attack surface analysis boundary analysis closed box testing fuzz testing reasonably foreseeable misuse uncontrolled risk unresolved anomaly and vulnerability chaining The agency also expanded its definition for a Software Bill of Materials SBOMppBLAs and INDs Although previously noted in a footnote FDA made sure to explicitly state in the body of the final version of the guidance that its recommendations regarding the cybersecurity information to be submitted for devices apply to Biologics License Application BLA and Investigational New Drug IND submissions when submitted to the Center for Radiological Health CDRH or the Center for Biologics Evaluation and Research CBER among other submissionsppCombination products FDA also made sure to state that its recommendations in this guidance apply to the device constituent part of a combination productppDuplicate documentation The final guidance advises that when threat modeling documentation sufficiently captures the security architecture view FDA does not expect manufacturers to duplicate documentationppLegacy use cryptographic algorithms FDA cautions that device makers should not implement cryptographic algorithms that have been deprecated or disallowed in applicable standards or best practices eg NIST SP 800131A Transitioning the Use of Cryptographic Algorithms and Key LengthsppOn November 2 2023 FDA will host a webinar for industry and other stakeholders interested in learning more about this guidanceppAlthough neither the final guidance nor the Federal Register notice discuss the date when FDA plans to start using its recently acquired PATCH Act authority FDA said in March of this year that the agency could start refusing filings that lack cybersecurity information as soon as October 1 2023ppIf you have any questions on this final guidance or on cybersecurity requirements or premarket submissions more generally feel free to contact any of the authors of this alert or the Hogan Lovells attorney with whom you generally workpp ppAuthored by Jodi K Scott Lina Kontos Randy Prebula and Alex Smithpp




FDA device software premarket submission content guidance recategorizes documentation requirements







pp




FDA promotes preapproval for changes to AI devices via Predetermined Change Control Plans







pp




Remanufacturing or Servicing New FDA guidance clarifies distinction for medical devices







pp




FDA to regulate more AI software tools as devices guidance indicates







pp




HHS ONC proposes new AI ML requirements for certified Health IT







pp




FDA updates cybersecurity in medical devices guidance seeks industry input







pp




CMS AppliedVR decision shows innovative tech can secure payment pathway under Medicares rigid statute







pp




FDA launches list of AI and machine learningenabled medical devices







pp




FDA proposes to conform the Quality System Regulation to the ISO 13485 standard







pp




FDA signals increasing focus on cybersecurity requirements







pp




Digital Health







ppAre you sure want to delete comment pp Scan this QR Code to share this contentpp ppThis website is operated by Hogan Lovells International LLP whose registered office is at Atlantic House Holborn Viaduct London EC1A 2FG For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP Hogan Lovells US LLP and their affiliated businesses Hogan Lovells please see our Legal Notices page 2022 Hogan LovellsppAttorney advertising Prior results do not guarantee a similar outcomeppTo receive our email updates select your language topics and countries then select save Please note that in the case of instant alerts it is currently not possible for us to accommodate individual preferences with respect to country language or frequency Updates on some topics are available as instant alerts onlyppppCompulsory field You will only see content in relation to the countries you selectppCompulsory field You will only see content on the topics you selectppCompulsory field You will only see content in the language you selectppDeselect this if you do not want to receive updates on critical or time sensitive developments outside of your regular email alertsp