With amendment 524b officially enacted, medical devices across the United States (and the globe) are living under some new rules and procedures. You’re not alone if you are finding these new regulations a bit complex. Changes to business practices – particularly ones that involve millions of investment dollars, countless hours of development, and (literally) people’s lives at stake – can be a real challenge.
Let’s chip away at some of this complexity. It’s easy to view 524b as merely a new submission process, with some extra documents to complete. But of course, there’s more to it than that. The true lens with which to consider this new legislation is through the eyes of the consumer. Simply put, the FDA has recognized the potential cybersecurity risks posed to public by medical devices and they have responded with 524b. In their own words, published on September 27, 2023:
As more medical devices are becoming interconnected, cybersecurity threats have become more numerous, more frequent, more severe, and more clinically impactful. As a result, ensuring medical device safety and effectiveness includes adequate medical device cybersecurity, as well as its security as part of the larger system. This final guidance supersedes the final guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” issued October 2, 2014.
Lot of words there! To distill their message down, the bottom line is this: bringing medical devices to market in the US just got a lot harder. Having said that, the FDA has pulled together a four-step guidance process to help on your journey from development to market.
Medical Devices are categorized into one of three classes, based on the potential risk the device could pose. For example, Class I is likely cosmetic and presents minimal potential for harm. On the other hand, Class III devices are likely “life or death,” in that they present significant risk of illness or injury. Class II devices are a bit less clearly defined. Two important things to take keen note of:
What’s critical (hence why this is Step 1!) is to identify your device’s class early in the development process. Its class will dictate the precise, ongoing cybersecurity measures needed to safely bring a given device to market. Attempting to inject good cyber hygiene at 524b submission time is a recipe for disaster. Best practices – consistent Penetration Testing, identifying post-market vulnerabilities, SBOM, etc. – should be in place from day one of development.
The vast majority of medical devices will require a Premarket Submission of some type. Again, a great resource to identify which submission is appropriate is the FDA’s Product Classification database. Your device is likely to fall under one of four submission types:
Now the fun begins! Well, not really. The good news is that you’re halfway home and the submission process does involve in-depth discussions with representatives from the FDA. The bad news is that the submission process itself is as expensive and it is intense. There is a user fee required with each submission, ranging from $21,760 to nearly half a million dollars. No small potatoes.
For complex medical device submissions under 524b have a look at the eSTAR Program. It’s an interactive PDF which is a helpful guide through the process. Once submitted there are two reviews to be conducted, one Administrative and one Interactive. The administrative review is an assessment performed by the FDA to ensure the submission is complete. During the interactive review, the FDA will be in regular communication with applicants – assisting through the process and streamlining it where possible.
Regardless of classification (I, II, or III), every medical device is subject to regulatory controls unless very specifically exempt. Take note that earning this exemption is rare and requires substantial work. Achieving compliance under the stated regulatory controls is no walk in the park. You’ll need to:
These are just three brief examples of the myriad of compliance work that needs to be undertaken on the road to achieving FDA approval.
The ultimate takeaway here is to start early. Understand what class your device falls under. Spend the time (arduous as it may be!) clearly outlining for your organization what specific regulatory requirements the FDA will apply to your submission. And most importantly, embrace good cybersecurity hygiene from device development through post-market.
You really can’t start early enough. From a clean 524b submission, to the untold dollars saved from avoiding cyber incidents, to safely bringing devices to the public and thereby changing lives for the better… the benefits to maintaining a strong cybersecurity posture cannot be overstated.
The post Navigate FDA 524b to get your medical cyber device to market first appeared on Pen Test Partners.