Software in Medical Devices, by MD101 Consulting

Section VII

The major change is the addition of a new Section VII.
This section explains how to apply the requirements of Section 524B of the Federal Food, Drug, and Cosmetic Act (FD&C Act) concerning the cybersecurity of connected medical devices.

Cyber devices

These MDs are called “cyber devices” by the FDA. The definition of cyber device includes in its scope a device that is connected, even indirectly, to a network. A MD with a USB port is considered a cyber device, even if it is not intended to be connected to a network. Hence, a misuse of this USB port could be to connect a USB adapter to a network socket.

Documentation required by Section VII

Section VII specifies the documentation required to comply with section 524B of de FD&C Act. The documentation requirements are bound to sub-sections of 524B.

524B(b)(1) Vulnerability Monitoring and Management Plan

This plan must specify deadlines and justifications for the development and deployment of updates and patches, taking two cases:

1. Regular updates for known but controlled vulnerabilities, and
2. Urgent out-of-cycle updates for critical vulnerabilities that could lead to uncontrolled risks.

This plan shall also include Coordinated Vulnerability Disclosure procedures.

Practically speaking, you should have and document a policy to update software according to the CVSS of identified vulnerabilities. E.g.: out-of-cycle updates for CVE with CVSS higher than 9 or CVE with safety impact, regular updates for others.

524B(b)(2) Cybersecurity design and maintenance process

This process must demonstrate that the device and related systems are designed, developed and maintained to ensure a reasonable level of cybersecurity. we recognize here the FDA's risk-based approach.
The application of the other sections of this guidance, IEC 81001-5-1 and AAMI SW76 is one way of implementing this design process.

524B(b)(3) A Software Bill of Materials (SBOM)

Section V.A.4.b of the document is referenced here. The SBOM can follow the NTIA minimal SBOM requirements.

Modifications

In addition, any modification requiring a new regulatory submission must also comply with section 524B. If the modification has an impact on cybersecurity, all relevant documentation must be provided, following this guidance and the guidance on cyber post-market surveillance.

For modifications with no impact on the cybersecurity of an existing device for which such documentation did not exist, the FDA still expects some documentation:

1. The Vulnerability Monitoring and Management Plan must be provided,
2. The manufacturer must demonstrate that there are no critical vulnerabilities, and
3. The SBOM must be provided.

For example:
If you cleared a device before 2023, It is quite possible that you didn't submit any documentation on cybersecurity.
If, today, you submit a change, claiming equivalence with your own device, then the FDA expects documentation on the three points above:

• The change has an impact on cybersecurity: fully follow the FDA guidance,
• The change has no impact on cybersecurity: follow partially the guidance. Especially for #2 in order to demonstrate that there are no critical vulnerabilities.

In this second case, a very minimal cybersecurity document set to add to your existing device submission is:

1. The Vulnerability Monitoring and Management Plan
2. Documents demonstrating the absence of critical vulnerabilities, usually:
   1. On the risk management side: A cyber Risk Management File,
   2. On device design side: Some cyber risk control measures, as applicable
   3. On V&V side: A pen test report.
   4. On device IFU side: informations relevant to users but also administrators of the device, as applicable
3. The SBOM.

Don't expect to get a FDA clearance without these documents.