Blog: Medical Device Security
Navigate FDA 524b to get your medical cyber device to market
With amendment 524b officially enacted, medical devices across the United States (and the globe) are living under some new rules and procedures. You’re not alone if you are finding these new regulations a bit complex. Changes to business practices – particularly ones that involve millions of investment dollars, countless hours of development, and (literally) people’s lives at stake – can be a real challenge.
Let’s chip away at some of this complexity. It’s easy to view 524b as merely a new submission process, with some extra documents to complete. But of course, there’s more to it than that. The true lens with which to consider this new legislation is through the eyes of the consumer. Simply put, the FDA has recognized the potential cybersecurity risks posed to public by medical devices and they have responded with 524b. In their own words, published on September 27, 2023:
As more medical devices are becoming interconnected, cybersecurity threats have become more numerous, more frequent, more severe, and more clinically impactful. As a result, ensuring medical device safety and effectiveness includes adequate medical device cybersecurity, as well as its security as part of the larger system. This final guidance supersedes the final guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” issued October 2, 2014.
Lot of words there! To distill their message down, the bottom line is this: bringing medical devices to market in the US just got a lot harder. Having said that, the FDA has pulled together a four-step guidance process to help on your journey from development to market.
Step 1: Understanding classification & controls
Medical Devices are categorized into one of three classes, based on the potential risk the device could pose. For example, Class I is likely cosmetic and presents minimal potential for harm. On the other hand, Class III devices are likely “life or death,” in that they present significant risk of illness or injury. Class II devices are a bit less clearly defined. Two important things to take keen note of:
- The FDA has the ultimate say on which class a given device falls under. The FDA Product Classification Database is a great resource for class determination.
- The required regulatory controls significantly increase with each level of classification, as will the submission type.
What’s critical (hence why this is Step 1!) is to identify your device’s class early in the development process. Its class will dictate the precise, ongoing cybersecurity measures needed to safely bring a given device to market. Attempting to inject good cyber hygiene at 524b submission time is a recipe for disaster. Best practices – consistent Penetration Testing, identifying post-market vulnerabilities, SBOM, etc. – should be in place from day one of development.
Step 2: Prepare your premarket submission
The vast majority of medical devices will require a Premarket Submission of some type. Again, a great resource to identify which submission is appropriate is the FDA’s Product Classification database. Your device is likely to fall under one of four submission types:
- 510(k) Submission: Most Class I and Class II devices fall here. In a 510(k), the sponsor must demonstrate that the new device is “substantially equivalent” to a predicate device in terms of intended use, technological characteristics, and performance testing, as needed.
- PMA Submission: Class III medical devices almost always require a PMA. A PMA submission requires significant interaction with the FDA, quality management systems, and usually human clinical trials. The FDA usually processes PMA applications within 180 days.
- De Novo Classification Request: This submission type is unique in that it applies to new-to-market devices for which there is no predicate device currently in market. The De Novo is essentially a pathway to market for novel devices, provided the device efficacy and safety can be clearly proven under FDA Guidelines.
- HDE Submission: This submission type is geared specifically towards devices that benefit patients with rare conditions. An HDE is required for medical devices intended to benefit patients in the treatment or diagnosis of a disease or condition that affects or is manifested in not more than 8,000 individuals in the United States per year.
Step 3: Submission
Now the fun begins! Well, not really. The good news is that you’re halfway home and the submission process does involve in-depth discussions with representatives from the FDA. The bad news is that the submission process itself is as expensive and it is intense. There is a user fee required with each submission, ranging from $21,760 to nearly half a million dollars. No small potatoes.
For complex medical device submissions under 524b have a look at the eSTAR Program. It’s an interactive PDF which is a helpful guide through the process. Once submitted there are two reviews to be conducted, one Administrative and one Interactive. The administrative review is an assessment performed by the FDA to ensure the submission is complete. During the interactive review, the FDA will be in regular communication with applicants – assisting through the process and streamlining it where possible.
Step 4: Regulatory compliance control
Regardless of classification (I, II, or III), every medical device is subject to regulatory controls unless very specifically exempt. Take note that earning this exemption is rare and requires substantial work. Achieving compliance under the stated regulatory controls is no walk in the park. You’ll need to:
- Provide the complete design and development plans of your device, including design input and outputs, design verifications and validations, design changes and history.
- Deliver a comprehensive overview of your manufacturing information, which includes both internal and external 3rd-party audits.
- Detail your specific process and results of how inspection, measuring, and testing of equipment is routinely calibrated, inspected, checked, and maintained.
These are just three brief examples of the myriad of compliance work that needs to be undertaken on the road to achieving FDA approval.
The ultimate takeaway here is to start early. Understand what class your device falls under. Spend the time (arduous as it may be!) clearly outlining for your organization what specific regulatory requirements the FDA will apply to your submission. And most importantly, embrace good cybersecurity hygiene from device development through post-market.
You really can’t start early enough. From a clean 524b submission, to the untold dollars saved from avoiding cyber incidents, to safely bringing devices to the public and thereby changing lives for the better… the benefits to maintaining a strong cybersecurity posture cannot be overstated.