Premier Weighs in with FDA on Cybersecurity Guidance for Medical Devices

Premier submitted comments in response to the FDA’s proposed updates to its 2023 final guidance document “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” which was implemented after the passage of the Premier-supported PATCH Act in 2022. Specifically, the FDA proposes to add a new section that outlines the scope of devices covered by these requirements. In addition, the new section outlines FDA's interpretation of "reasonable assurance of cybersecurity" which would allow the FDA to deem a device to not meet safety and efficacy requirements if it fails to provide sufficient data related to its cybersecurity protections. In its letter, Premier underscored the need for a comprehensive regulatory framework for medical device cybersecurity and urged the FDA to consider as part of its guidance:

• Affirming and ensuring that approval of a new device does not relieve the manufacturer of maintaining the cybersecurity of the predicate device(s);
• Prohibiting medical device manufacturers from receiving approvals for new devices when the manufacturer demonstrates an inability to reasonably maintain cybersecurity levels over an objectively-defined lifecycle;
• Leveraging real-world evidence (RWE) to define a data-driven usable lifecycle to determine how long manufacturers should be required to maintain adequate cybersecurity for the device;
• Creating an equitable mechanism for fining HDOs and device manufacturers when a cybersecurity breach does occur based upon the root cause analysis of the incident and commensurate with the findings; and
• Continuing to both evaluate the cybersecurity of new software- and algorithm-based medical devices and provide regulatory guidelines flexible enough to apply to the iterative and evolving nature of the software.