MedCon: Experts offer guidance on meeting FDA’s heightened cybersecurity requirements
COLUMBUS, OH – The US Food and Drug Administration (FDA) has been “more than reasonable” in its asks to companies in proving the cybersecurity of medical devices, a panel of experts told attendees at the 2025 MedCon conference, sponsored by the AFDO/RAPS Healthcare Products Collaborative.As part of the 2023 Consolidated Appropriations Act passed by Congress, FDA has gained new statutory authority, and the September 2023 final guidance on cybersecurity notes that sponsors must have processes in place to ensure a medical device is cybersecure and anticipate and address cybersecurity vulnerabilities in the device. Sponsors must also submit a software bill of materials along with its submission and comply with FDA requests to ensure a device and connected systems are cybersecure. (RELATED: FDA premarket cybersecurity guidance clarifies SBOM requirements, Regulatory Focus 28 September 2023)
Before the law changed, FDA needed to tie a cybersecurity concern to safety and effectiveness, Chris Reed, senior director of cybersecurity policy, global regulatory affairs at Medtronic, told attendees. “That bar is actually not an easy bar in a lot of cases to tie to, and so it really did make their job more difficult,” he said.
While his company has had to educate FDA to see a situation differently, companies cannot simply ignore these new requirements, and the agency is now able to tell companies that they don’t have good “cyber hygiene” and make them remediate deficiencies.
“The big change that happened is that FDA can now just say you have bad cybersecurity,” he explained. “It doesn't matter if your device is good and effective, you're in trouble, or you're rejected or whatever. They don't have to make the tie to safety and effectiveness anymore, which is, generally a good thing.”
Although the final guidance is detailed, and the agency is looking for more documentation, “these are not unreasonable things to be asking for, and I think FDA has been more than reasonable,” Reed said. “We’ve all faced deficiencies as we've learned how to communicate and document, but I've yet to run into a case where FDA is just asking for something that isn't reasonable.”
Common deficiencies
With new requirements comes “a lot of documentation,” Reed said, which can sometimes make it difficult for FDA reviewers to find the documentation they’re looking for. “The most common thing that we see is it's there, we just didn't do an effective job mapping to it, and we're just having to tell them actually it's there,” he said. Other times, Reed said his company has had to file a submission issue review to outline the logic of a component of a submission or why testing was documented a certain way.
Axel Wirth, chief security strategist at MedCrypt, also said inconsistent documentation is also the most common occurrence he sees when working with companies.
“You submitted a threat model that does not match your architecture diagrams, you submitted a final test report that does not properly trace back to your risk analysis or identified security requirements or controls. I think that's the single biggest category,” he said.
The second biggest category, Wirth said, is the use of outdated protocols such as a deprecated cryptographic algorithm or an old Transport Layer Security (TLS) protocol like TLS 1.1 or earlier. “We see rejections because of that,” he said.
Challenging FDA findings
“The FDA does go deep. They look at all the documentation,” Wirth said. “You need to be certainly ready to challenge any findings, because you can’t assume that everybody at FDA who reviews the documentation is a cybersecurity expert.”
While FDA reviewers may use a checklist for your submission, “it may not capture the nuances of your particular submission,” Wirth said. “You indeed have, I think, opportunity with challenges to push back on FDA findings.”
Eric Henry, senior quality and regulatory compliance advisor, FDA and Life Sciences Practice at King & Spalding LLP, elaborated on this issue, highlighting a requirement in the final guidance that a premarket submission contain a minimum of four different security architecture views. “If they can’t see clearly you have all four, you’re going to see it in a deficiency,” he said.
Providing a roadmap for reviewers
Reed said the key to limiting deficiencies related to cybersecurity is to help the FDA reviewer follow their templated checklist.
“[R]eally, our design history file should speak for itself, and our philosophy is [when] we do our submissions right now is we just need to provide the roadmap that gets them when they're going through their template, that they can find what they need,” he said.
The final guidance contains an appendix that lists all the documents a reviewer expects to see when reviewing a device.
“[W]e basically build a table that, from the reviewer's perspective, [shows] what you're looking for,” Reed said. “It's basically our checklist. Can we map all these things, and by doing that, we've actually gotten to the point where I would say it’s the exception now that we're getting deficiencies.”
×
Welcome to the new RAPS Digital Experience
We have completed our migration to a new platform and are pleased to introduce the updated site.
What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.
We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.
We welcome your feedback. Please let us know how we can continue to improve your experience.