Your Champion for Product Success

CYBERSECURITY: What you need to know for your submission

Any medical device which includes software that can be “updated” and/or any device that can export data to another system, will need to meet the FDA’s “cybersecurity” requirements henceforth. Sometimes folks try to argue that any software update will only be conducted by authorized personnel and only with company issued flash-drives will likely find that this mitigation is not sufficient. FDA needs more.

FDA released: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Guidance, packed full of essential information for any new submission. Other guidance deals with Total Product Life Cycle mitigations but for this space we will concentrate on new products. If you have any doubt about how important this is, realize that this is not just an FDA “guidance” it is now a regulation. Under section 524B(a) of the FD&C Act, a person who submits a 510(k), PMA, PDP, De Novo, or HDE for a device that meets the definition of a cyber device, as defined under section 524B(c) of the FD&C Act, is required to submit information to ensure that cyber devices meet the cybersecurity requirements under section 524B(b) of the FD&C Act. 19 Section 524B(c) of the FD&C Act defines “cyber device” as a device that “(1) includes software validated, installed, or authorized by the sponsor as a device or in a device; (2) has the ability to connect to the internet; and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.”

And this is not just a matter of making sure the submission covers all the key points, FDA sees this as a requirement that needs to be addressed through the product development program and part of the Quality System compliance for a proper product by incorporating a “Secure Product Development Framework (SPDF).” Paladin Medical® can guide your team through the development program to assure cybersecurity deliverables for the submission are built into the quality program for your new product.