On April 8, 2022, the FDA released an entirely new draft guidance for premarket medical device cybersecurity, expanding upon previous recommendations from the public on its 2018 draft guidance. If finalized, this will replace the 2014 guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”. This draft guidance, issued in response to the continually growing potential of cybersecurity threats today, represents a fundamental shift in the agency’s approach to cybersecurity in the industry. Its expanded scope stresses the importance of cybersecurity in quality systems, aligning the guidance with the Quality System Regulation (QSR) and requiring manufacturers to incorporate cybersecurity throughout the Total Product Life Cycle (TPLC). Once the draft guidance becomes final, it will be applicable to:
- Premarket Notification (510(k)) submissions
- De Novo requests
- Premarket Approval Applications (PMAs) and PMA supplements
- Product Development Protocols (PDPs)
- Investigational Device Exemption (IDE) submissions
- Humanitarian Device Exemption (HDE) submissions
The release of this guidance has become a topic of controversy, prompting over 1,800 comments expressing concern from the public. Many comments reflect manufacturer concerns, as requirements will be greatly increased to satisfy the QSR, creating a compliance burden throughout the industry. To satisfy these increased requirements, the FDA recommends manufacturers integrate a Secure Product Development Framework (SPDF) into their quality management systems. The SPDF approach has not been seen in this context before, but it seems to reflect the agency’s increased interest in TLPC considerations. The agency expects that manufacturers will perform cybersecurity testing throughout the SPDF. After the device is on market, cybersecurity testing should continue to be performed regularly to ensure continual protection. Though the concept of the SPDF is being introduced through this document, very little information is provided on how it works what exactly is needed to ensure compliance. Software developer BeanStock Ventures commented on this issue, requesting that the FDA provide more information about the SPDF. “Why name a new process, instead of incorporating into the already existing design control processes? The security attributes described in the rest of this draft guidance reference design control process. There is very little explanation for what is SPDF,” the comment stated.
Along with the confusion regarding increased requirements and the introduction of the SPDF, there is also controversy regarding language in the document that many found to be confusing and misleading. A comment from Philips Healthcare states “We urge the FDA to include language around scaling the required/ recommended security processes/ information in accordance with the risk profile of the device… determined be the manufacturer,” as well as “recommendations for medical device manufacturers… need to be made clear what deliverables are requirements and which ones are not… The language within the guidance does include ‘must’, ‘may’, and ‘should’—which certainly suggests requirements.” Philips, along with multiple other healthcare companies such as Fisher & Paykel, expressed a strong desire for the FDA to update the guidance and state in clearer terms what exactly is required from manufacturers in this new submission process. Similarly, many feel that the current draft of the guidance is “repetitive, lengthy, and difficult to read” (BeanStock Ventures). This is not surprising, as the 2022 draft guidance is over five times larger than the 2018 version.
Overall, this controversial change is an interesting development, but certainly not set in stone. The FDA urged the public to comment on the draft guidance until July 7th, but the flood of comments has not ceased, and will likely lead to an extension of that deadline. Due to the number of issues found by the public, it is likely more changes will be made before anything is finalized. We will continue to investigate and update you on any new developments as they occur.