FDA Issues Supplemental Draft Guidance for Premarket Cybersecurity

The U.S. Food and Drug Administration (FDA) recently released its draft guidance with a proposal to add a Section VII. to the Premarket Cybersecurity Guidance to support obligations under Section 524B of the Food, Drug and Cosmetic Act (FD&C Act).

The FDA’s draft guidance on Section 524B proposes updates to the FDA’s current guidance document, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, which became final in September 2023 and superseded the FDA’s prior premarket cybersecurity guidance for medical devices issued in 2014. While the FDA’s latest issuance is currently in draft form, it is nonetheless instructive for medical device manufacturers, and manufacturers should consider the FDA’s proposed interpretations and recommendations when determining how best to address cybersecurity compliance in 2024 and beyond.

Highlights from the FDA’s Draft Guidance

Here are some of the key takeaways from the FDA’s draft guidance:

Devices Subject to Section 524B of the FD&C Act

The FDA’s draft guidance provides additional insight into the FDA’s current thinking on what meets the definition of a “cyber device” under Section 524B(c) and provides additional guidance on documentation that should be included as part of a premarket submission, such as a 510(k), De Novo, HDE, PMA or PDP. When submitting applications for cyber devices, applicants must include “such information as FDA may require to ensure that the cyber device meets the cybersecurity requirements under section 524B(b).” A cyber device is any medical device that:

• “[I]ncludes software validated, installed, or authorized by the sponsor as a device or in a device,

• “[H]as the ability to connect to the internet, and

• “[C]ontains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats.”

Documentation Required for Section 524B Compliance

Applications for premarket approval of cyber devices must be accompanied by documentation that satisfies the requirements of Section 524B. The FDA’s draft guidance provides recommendations for each of three types of documentation required. Notably, in some instances the FDA simply refers back to its prior guidance from September 2023. For example, regarding the “plan” requirement under Section 524B(b)(1), the draft guidance states: “We recommend that the plan contain the information recommended for the Cybersecurity Management Plan described in Section VI.B. of the Premarket Cybersecurity Guidance [from September 2023],” in addition to providing additional recommendations.

A “Reasonable Assurance of Cybersecurity” Can Be Part of a Safety and Effectiveness Determination

Noting that nothing in Section 524B, “shall be construed to affect [the FDA’s] authority related to ensuring . . . that there is a reasonable assurance of the cybersecurity of certain cyber devices,” the draft guidance states that the FDA, “interprets this . . . to mean that a ‘reasonable assurance of cybersecurity’ can be part of FDA’s determination of a device’s safety and effectiveness.” For manufacturers and sponsors seeking approval of cyber devices, this underscores the importance of ensuring compliance with Section 524B.

Contact Us for More Information

Do you have questions or concerns about the implications of Section 524B? If so, we can help. Contact us to speak with one of our experienced FDA compliance attorneys in confidence.