FDA finalizes cyber device “select updates” guidance, potentially affecting substantial equivalence findings for 510(k)s

An expansive definition of “cyber device”

In 2022, Congress amended the federal Food, Drug, and Cosmetic Act (FDCA) to add Section 524B, which implemented cybersecurity controls intended to ensure the safety and effectiveness of medical devices. Section 524B requires manufacturers making premarket submissions for cyber devices to meet certain cybersecurity requirements, including those intended to “demonstrate reasonable assurance that the device and related systems are cybersecure.”

In March 2024, FDA published a draft guidance consisting of “select updates” to its September 2023 final guidance “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” (“Premarket Cybersecurity Guidance”), which we summarized online here. The select updates interpret key terms in Section 524B, including the definition of “cyber device,” and provide recommendations to the industry for meeting Section 524B's cybersecurity requirements.

Last week, FDA finalized the select updates, clarifying the scope of the definition of cyber devices. Under Section 524B, a “cyber device” is defined as a medical device meeting all of the following criteria: “(1) includes software validated, installed, or authorized by the sponsor as a device or in a device; (2) has the ability to connect to the internet; and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.”

FDA interprets the scope of each of these prongs, clarifying that the definition “include[s] devices that are or contain software, including software that is firmware or programmable logic,” meaning a computer program or data stored on or implemented through hardware. FDA further interprets the phrase “has the ability to connect to the internet” in Section 524B(c)(2) to mean “devices that are able to connect to the internet, whether intentionally or unintentionally through any means.” These would include, for example, any device having Wi-Fi, cellular, or Bluetooth capabilities, or hardware connectors capable of connecting to the internet, such as a USB port. As a practical matter, if a device contains or is software capable of receiving an update – whether through the device itself or its environment of use – it is likely to be viewed by FDA as a “cyber device.”

By expanding the definition of "cyber device" to include any device with software capabilities with connectivity features, FDA is acknowledging the pervasive nature of cyber threats in healthcare technology. This nuanced definition reflects an understanding that devices with only minimal software functionality or functionality present in common technology can present cybersecurity risks, particularly in an increasingly interconnected healthcare ecosystem.

Documentation for premarket submissions

The finalized version of the select updates also include FDA's recommendations on how to satisfy the premarket submission documentation requirements to fulfill the requirements implemented in Section 524B(b), which requires manufacturers in their premarket submissions to include “a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.”

FDA interprets the “plan” required by Section 524B(b)(1) to mean a “cybersecurity management plan” as described in Section VI of the Premarket Cybersecurity Guidance, and that also includes:

1. disclosure of a device's vulnerabilities and exploits, whether identified by the manufacturer or a third party, and procedures to make such disclosures to relevant healthcare parties;
2. a timeline for developing and releasing updates and patches for vulnerabilities, which may vary depending on the criticality of the vulnerability; and
3. a plan to update the plan going forward as new information (such as new risks) becomes available.

The finalized version of the select updates differs somewhat from the draft in that it further details the differences between a “known unacceptable vulnerability” and a “critical vulnerability that could cause uncontrolled risk,” as outlined in Section 524B(b)(2). This distinction will dictate the timeline for developing and releasing updates and patches. A “known unacceptable vulnerability” is one that could present controlled risk or that could not, or is not currently known to, present uncontrolled risk, as FDA explains these concepts in its December 2016 final guidance “Postmarket Management of Cybersecurity in Medical Devices.” Manufacturers should consider these risks not only with respect to devices themselves, but also “within the larger context of the environment in which they will be intended to operate.”

To demonstrate a “reasonable assurance that the device and related systems are cybersecure” as required by Section 524B(b)(2), FDA recommends that manufacturers provide the premarket submission documentation outlined in existing Appendix 4 of the Premarket Cybersecurity Guidance. Notably, FDA interprets “related systems” to encompass, “among other things,” a seemingly broad range of “manufacturer-controlled elements” such as “healthcare facility networks.” Finally, to satisfy Section 524B(b)(3), manufacturers should provide a software bill of materials (SBOM) that includes the information outlined in Section V of the Premarket Cybersecurity Guidance.

Modifications that vary by cybersecurity risk

For cyber device modifications requiring a new premarket submission, the finalized version of the select updates categorizes submissions into two groups: those that “may impact cybersecurity” and those that are “unlikely to impact cybersecurity.”

Examples of the former include “changes to authentication or encryption algorithms, new connectivity features, or changing software update process/mechanisms.” Examples of the latter include “changes in materials, sterilization method changes, or a change to an algorithm without a change to architecture/software structure/connectivity.”

In either case, FDA indicates that it will focus not technically on the “type of change” but rather substantively on any “known cybersecurity concerns” associated with it “in determining whether [a] device has a reasonable assurance of cybersecurity.” Manufacturers must submit all the documentation required for a new cyber device when making changes to an existing cyber device that may impact cybersecurity.

For changes unlikely to impact cybersecurity, FDA will allow manufacturers to summarize any change to their previously submitted plans under Section 524B(b)(1) and, for Section 524B(b)(2), describe any vulnerabilities with uncontrolled risk that currently exist or were remediated since the device's last authorization. This reflects a tighter approach to satisfying Section 524B(b)(2) for changes unlikely to impact cybersecurity. FDA had recommended in its draft select updates that manufacturers submit a “summary assessment” demonstrating a reasonable assurance of cybersecurity, but this approach generated some industry uncertainty about the required scope of the summary. As for Section 524B(b)(3), manufacturers should still submit a SBOM as they would for a new cyber device or a change that may impact cybersecurity.

One of the most crucial aspects of the guidance is the emphasis on the need for manufacturers to establish a comprehensive cybersecurity management plan. This plan not only addresses vulnerabilities but also outlines a proactive approach to monitoring and responding to potential threats. By mandating a structured timeline for vulnerability disclosures and updates, FDA is pushing manufacturers to take cybersecurity seriously, ensuring that devices remain secure throughout their lifecycle.

Cybersecurity and safety & effectiveness

FDA concludes its finalized select updates by emphasizing its long-standing position – codified, in FDA's interpretation, in Section 3305(c) of the 2023 Food and Drug Omnibus Reform Act – “that ‘a reasonable assurance of cybersecurity' can be part of FDA's determination of a device's safety and effectiveness” under the various premarket pathways and authorization under them. In the 510(k) context, for example, FDA may find that a subject device is not substantially equivalent to its predicate device in light of new risks or vulnerabilities and inadequate “performance data” indicating that the subject device is nonetheless considered cybersecure.

The guidance also raises important questions about the practical implications for manufacturers, particularly smaller firms and software-only companies that may struggle with the resources needed to comply with these extensive requirements. While FDA's intention is to enhance patient safety and device effectiveness, the burden of compliance could inadvertently stifle innovation, especially for startups that often operate with limited budgets.

Furthermore, the clarification differentiating between “known unacceptable vulnerabilities” and “critical vulnerabilities that could cause uncontrolled risk” is noteworthy. This distinction will likely influence risk management strategies and timelines for updates, thus impacting how manufacturers allocate resources for cybersecurity efforts.

Adapting to increasingly connected environments

Overall, while the finalized guidance sets a robust framework for ensuring the cybersecurity of medical devices, it will also require manufacturers to adapt and potentially transform their approach to product development, testing, and post-market monitoring. As the technological landscape continues to evolve, FDA's proactive stance on cybersecurity serves as a critical reminder that safety in healthcare is not solely about physical devices but also about safeguarding the digital environments in which they operate.

Authored by Randy Prebula, Jodi Scott, Lina Kontos, and Kelliann Payne.