FDA drafts ‘select updates’ to guidance on medical device cybersecurity, addressing statutory requirements

In late 2023, the FDA finalized a long-awaited guidance on medical device cybersecurity – but also promised updates to that final guidance which would address certain statutory requirements. Today, the agency published a draft version of those “select updates,” which delineate how the FDA will interpret key statutory definitions and provide expectations for documentation and for bringing existing devices into compliance.

Medical device cybersecurity: A decade of policymaking and new statutory authority

An extremely quick background: The FDA has worked to modernize its approach to medical device cybersecurity over the past decade. In 2014 and 2016, FDA finalized guidance documents on cybersecurity information in pre-market submissions and the post-market management of cybersecurity. In 2018, the agency issued a draft update to the 2014 pre-market submission guidance – which was never finalized – outlining a two-tier system for cybersecurity risk. In 2022, the agency issued a revised draft update to the 2018 draft guidance, seeking to address questions about the expectations for cybersecurity as an emerging (but increasing) risk to patient safety and device performance. At the time, the agency lacked explicit statutory authority to consider cybersecurity information. Rather, the FDA has historically made the case that cybersecurity is a key component of device safety, and therefore can be a required part of the agency’s authority over ensuring the safety and efficacy of medical devices.
The FDA gained explicit statutory authority to oversee and require cybersecurity information for medical devices under the Food and Drug Omnibus Reform Act (FDORA) provisions of the 2023 omnibus bill. This provision codified new statutory authority – now found at section 524B of the Federal Food, Drug and Cosmetic (FD&C) Act – for the FDA to require cybersecurity information as part of certain medical device regulatory oversight. This includes the FDA’s ability to require a post-market monitoring plan for cybersecurity vulnerabilities and the sponsor’s plan for addressing them, as well as a handful of other requirements. The new statutory additions state that the specifically listed cybersecurity information would be required for what it calls a “cyber device” (to be explained below).
In September 2023, the FDA finalized its long-awaited cybersecurity guidance. The new document finalized the 2022 revised draft, albeit with some key changes, including references to FDA’s new statutory authority and expansion of the scope of the guidance [ See AgencyIQ’s full analysis of the guidance document here]. That guidance lays out the FDA’s expectations for cybersecurity information in pre-market applications, as well as the quality system implications for cybersecurity, delineating the components of cybersecurity that the agency wants to see – including documentation in pre-market applications (e.g., cybersecurity risk assessments) and security risk management in quality systems.
The statutory provisions in FDORA included both an implementation timeline and some very specific requirements. The statutory provisions requiring cybersecurity information for “cyber devices” technically came into effect in March 2023, but the FDA issued a direct-to-final guidance that effectively delayed compliance through October 2023 – and then issued the new final guidance in late September 2023. However, there are some differences in the scope of the 2023 final guidance and the FDORA provisions – in particular, the term “cyber device” and the specific types of information required for these devices.
What is a “cyber device”? The new section 524B of the FD&C Act, as added by FDORA, defines a “cyber device” as one that “(1) includes software validated, installed, or authorized by the sponsor as a device or in a device; (2) has the ability to connect to the internet; and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.” However, this definition is technically different from the scope of the 2023 final cybersecurity guidance, which states that it “is applicable to [medical devices] that contain software (including firmware) or programmable logic, as well as devices that have a device software function” and “is not limited to devices that are network-enabled or contain other connected capabilities.” The law gives some specific requirements as to what types of information are required for “cyber devices.”
The 2023 guidance has a broader application than the definition of “cyber device” that is subject to specific statutory requirements. After publication of the 2023 final guidance, CDRH confirmed that it planned to update the still-new final guidance to address “cyber devices” more specifically. These “select updates” to the final guidance were then listed on the CDRH FY 2024 Guidance Agenda as an A-List priority.

Now, the draft “select updates” for cyber device requirements have been published, indicating a broad scope

On March 13, the FDA published a draft guidance entitled “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act.” As expected, this draft guidance is intended to provide select updates to the cybersecurity guidance that the agency finalized in September 2023. When finalized, these draft updates will be added in to that final 2023 guidance, the bulk of which will remain the same. The draft “select updates” are open for public comment, like a standard draft guidance document. When finalized, the “select updates” will become Section VII of the final guidance.
A quick note on the statutory requirements and how they’ll be applied for authorization decisions: The final section of the draft guidance includes some language about the way that the FDA is interpreting its new authority. As noted above, the FDA has long considered cybersecurity to be a core component of both safety and performance of a medical device. However, the new statutory authority allows the agency to specifically require this information, and “FDA interprets this provision to mean that a ‘reasonable assurance of cybersecurity’ can be part of FDA’s determination of a device’s safety and effectiveness” – and, therefore, the FDA’s specific market access determination.
For 510(k) pre-market notifications, specifically: The FDA indicates that differences in the cybersecurity context between a new 510(k) submission and its predicate device will be a point of consideration for the FDA. These include differences or changes in the “environment of use” or “new risks or vulnerabilities in the technological characteristics,” and the FDA may expect (or ask for) testing to address the risks or vulnerabilities. “For example, if in reviewing the 510(k) for an alarm for a central nursing station software, FDA identifies that the device has increased risks compared to its predicate because it does not have the necessary encryption to protect against a recently identified cyber threat, FDA may ask for additional performance data. If the data provided is inadequate, FDA would likely make a determination that the new device is not substantially equivalent (NSE) to the predicate device because this threat, if exploited, could negatively impact the safety and effectiveness of the device because alarm accuracy is essential for health care providers to effectively monitor the health of patients in a hospital.”
This final section of the select updates ( Section E) seems to indicate that a new 510(k) would be expected to address newly identified (“recently identified”) cyber threats, rather than relying on the types of testing that were sufficient for the predicate device. This aligns with recommendations from a draft guidance issued in 2023 on clinical data in 510(k)s, which was published as one of a trio of guidance documents touted as a part of FDA’s efforts to modernize the 510(k) pathway. That guidance noted that additional data may be needed when there are “newly identified or increased risk[s] of the predicate device.” Interestingly, this call-out in the new draft cybersecurity guidance would likely be a key example of this situation in the 510(k) clinical data guidance, which is still in draft format.
Modifications to existing devices will need to account for the cyber device requirements. Going forward, the FDA will be looking for cybersecurity information in applications to modify an existing, already-authorized medical device (i.e., there is no grandfathering that would exempt newly defined cyber devices from these requirements going forward). This means that sponsors of “cyber devices” that have not previously met the statutory requirements under 524B will need to do so when making a modification to their authorized device.
This applies whether or not the change/modification the sponsor is looking to make is cybersecurity related. Per the select updates, changes that would impact cybersecurity (e.g., “changes to authentication or encryption algorithms, new connectivity features, or changing software update process/mechanisms”) would be expected to contain the documentation outlined in the guidance. However, cybersecurity information would still be expected in applications for modifications that are “unlikely to impact cybersecurity,” including “material changes, sterilization method changes, or a change to an algorithm without change to architecture/software structure/connectivity.” The select updates draft guidance lays out what the agency would expect to see in a submission to modify a device in these circumstances – including the documentation described below (in certain circumstances, they “may provide summary information” instead of the full documentation in the guidance). For example, if a device manufacturer is looking to update their sterilization method and submits the appropriate submission (e.g., a 510(k) or a Pre-Market Approval (PMA) supplement), they may need to provide a Software Bill of Materials (SBOM) or the plans and processes to meet the requirements in 524B, “if not previously provided.”
The agency explains the intent of the policy as follows: “In general, in its cybersecurity review, FDA intends to focus substantive review on modifications to cybersecurity controls or modifications that are likely to affect cybersecurity. However, regardless of the type of change being proposed to the device in the premarket submission, FDA intends to take into account known cybersecurity concerns that are applicable to such device when conducting its premarket reviews and in determining whether the device has a reasonable assurance of cybersecurity.”

The new “select updates” for cyber device requirements: Definitions and applicability

A detailed interpretation of “cyber device”: As noted above, this term is called out in statute as a category of medical device for which specific types of cybersecurity information and documentation are required. The new select updates cites the statutory definition as provided above, but also goes on to explain the criteria within that definition in more detail.
Criterion 1: The FDA is proposing to rely heavily on definitions from the National Institute for Standards and Technology (NIST). In particular, “for the term ‘software,’ FDA considers a “cyber device” to include devices that are or contain software, including software that is firmware or programmable logic.” The final clause of that sentence is further explained in a footnote, with the FDA clarifying that this includes products that include, per NIST’s definitions, programmable logic controllers: “A solid-state control system that has a user-programmable memory for storing instructions for the purpose of implementing specific functions such as [input/output] I/O control, logic, timing, counting, three mode (PID) control, communication, arithmetic, and data and file processing.” As the FDA explains, “Programmable logic is therefore a specific type of computer program and/or data stored on hardware, and is thus a type of software.”
Criterion 2: What it means to “have the ability to connect to the internet.” Per the draft document, this refers to “devices that are able to connect to the internet, whether intentionally or unintentionally, through any means (including at any point identified in the evaluation of the threat surface of the device and the environment of use).” In this case, “threat surface” is provided with a definition (via a footnote) that has been adapted from NIST, that reads as follows: “the set of points on the boundary of a system, a system element, or an environment where a cyber threat can try to enter, cause an effect on, or extract data from, that system, system element, or environment;” it is considered “synonymous with the term ‘attack surface’” – notably, the FDA’s definition comes from NIST’s definition of “attack surface.”
In short: If it can connect to the internet, it’s considered an internet-connected device – and therefore a cyber device: “It is well-demonstrated that if a device has the ability to connect to the Internet, it is possible that it can be connected to the Internet, regardless of whether such connectivity was intended by the device sponsor,” the guidance explains. The agency goes on to give a list of the types of methods by which a product could connect to the internet that would meet this definition (the list is not exhaustive), including Wi-Fi/cellular, network or Cloud Service Provider connections, Bluetooth, radiofrequency (RF) or inductive communications, or “hardware connectors capable of connecting to the internet” such as a USB or serial port.

The new “select updates” for cyber device requirements: Documentation and submissions

Additional information required for cyber devices: Section 524B(b)(1) – (4) of the FD&C Act specifies the information that a sponsor would need to provide to the FDA for a cyber device. In the statute, this includes four core components: (1) a “plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures; (2) design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address … unacceptable vulnerabilities” on a “reasonably justified regular cycle” as well as “critical vulnerabilities” that occur “out of [that] cycle”; (3) a Software Bill of Materials (SBOM); and (4) other requirements as put forward by FDA. The select updates offers guidance on how to meet these requirements.
Regarding the first core component above – a “plan to monitor, identify, and address” post-market vulnerabilities – the FDA notes that, in addition to the contents of a Cybersecurity Management Plan as recommended in the existing cybersecurity final guidance, documentation for a “cyber device” would need to have three additional components. For a coordinated vulnerability disclosure (CVD) “and related procedures,” the agency notes that these could include: (1) “coordinated disclosures” of the vulnerabilities and exploits from external entities like third-party software suppliers or researchers, (2) disclosures of vulnerabilities/exploits that are identified by the manufacturer, and (3) the procedures by which manufacturers would carry out the disclosures. In short: Disclosure of vulnerabilities/exploits identified by both the manufacturer and other sources, and the plan to make these disclosures. These plans would need to include information on “the timeline, with associated justifications” for the development and release of updates and patches – including the cycle on which the manufacturer intends to make regular patches/updates and by which it would make updates/patches out of cycle for “critical vulnerabilities that could cause uncontrolled risks.” Finally, the agency notes that these plans, processes and procedures will likely need to be updated over time and should be kept current throughout the total product lifecycle (TPLC).
Notably, the FDA includes a paragraph specifically calling out that these plans should “account for any differences in the risk management for fielded devices” – or devices that are no longer marketed but are still in use. Per the agency, the plans and processes described in statute would need to account for the differences these devices may pose: “For example, if an update is not applied automatically for all fielded devices, then there will likely be different risk profiles for the differing software configurations of the device. Vulnerabilities should be assessed for any differing impacts for all fielded versions to ensure patient risks are being accurately assessed.”
Regarding the second core component above – to “design, develop, and maintain processes and procedures” on devices and “related systems” – the statute calls out that the cybersecurity “processes and procedures” would “provide a reasonable assurance that the device and related systems are cybersecure” (emphasis added). In the new draft select updates, the FDA is defining “related systems” as the “other functions” in a multiple function device (MFD). It further notes that the recommendations in the 2023 final guidance (summarized here) “should be considered and used to demonstrate reasonable assurance that the device and related systems are cybersecure.” In short: The existing recommendations meet this statutory requirement, and “related systems” is defined as all the functions in an MFD.
Similarly, the requirement that an SBOM be included for cyber devices should be met by the recommendations already found in the final cybersecurity guidance. As stated in the new draft select updates guidance: “To assist with complying with this requirement, we recommend that a cyber device provide SBOMs that contain the information recommended” in that guidance.

What’s next?

CDRH seems to expect questions on the new draft additions to the cybersecurity guidance. It has already scheduled a webinar on the policy proposals, which will be held on April 30. Questions will likely focus on the scope of the document, including the 510(k) and modification expectations outlined in the guidance.
The guidance is also open for comment through May 13, 2024.

To contact the author of this item, please email Laura DiAngelo ( [email protected]).
To contact the editor of this item, please email Chelsey McIntyre ( [email protected]).