The FDA can be slow to change its ways, but its guidelines aren't immutable. As new technological concerns arise, the agency adapts its suggestions on how medical device manufacturers should respond, and as a recent guidance reveals, cybersecurity is definitely on the FDA's radar.
For device makers, this has a number of critical implications that are sure to impact how quality management systems are implemented and maintained.
In its October 2014 guidance on the content of premarket submissions for management of cybersecurity in medical devices, the FDA notes that more and more devices are connected to the Internet and other communication networks. The agency further maintains that effective cybersecurity plays an important role in helping ensure the safety and functionality of modern connected devices.
How Does the FDA Define Cybersecurity?
According to the 2014 guidance, cybersecurity processes focus on halting unauthorized data use or access. This also extends to access rights control; for instance, unauthorized parties shouldn't be able to prevent medical device users from obtaining normal benefits or stop doctors from accessing patient records.
When it comes to how manufacturers implement cybersecurity controls, the FDA doesn't recommend specific techniques, but that doesn't grant you unchecked latitude. The guidelines explicitly say your premarket submission should justify the cybersecurity functions you implement. As with other aspects of the predicate rules the FDA only gives you broad guidance on how to interpret the regulations.
It is up to you and your company to define how the regulations are to be interpreted. This interpretation normally takes the form of company policies, standard operating procedures and work instructions.
Even if you've already been including cybersecurity features in your devices, you'll need to formally support your actions if you want to gain approval, and this means you'll require effective documentation standards.
Defining Your Cybersecurity Responsibilities
It's also worth noting that the agency's guidance included a page-long list of functions that device manufacturers should consider. These were ostensibly intended to fulfill tasks such as controlling user access, ensuring software and other content is trustworthy and dealing with threats. Unfortunately, these suggestions don't provide a complete blueprint to building an effective quality management system.
For comprehensive information, you have to look to the standards the FDA recognizes for their adherence to accepted IT security practices. These include multiple IEC, ANSI, AAMI and CLSI documents pertaining to diverse networks, medical devices and IT risk management principles. Remember, however, that these rules can also change with time, and the FDA is almost certain to adopt new consensus standards as time goes on.
If you want to stay compliant, you ultimately need to implement a quality management system that can accommodate the way technology evolves. Yes, it's important to understand the applicable scope of regulations like FDA CFR 21 and know what compliance steps suit your specific manufacturing process, but these factors could change with little warning. Can your quality management system keep pace?
Cybersecurity is a nascent field: Your grasp of its tenets may yet be fleeting. GxP-CC consultants understand how to help you build a quality management system that matures along with technology and regulatory guidelines.