Arunkumar Prabhakaran, Regulatory Affairs Manager
FDA has been continually educating the medical device industry on cybersecurity risks and the need for reliable postmarket risk management plans for medical devices containing software functions (also known as cyber devices). As part of the cybersecurity initiative, FDA recently added Section 524B “Ensuring Cybersecurity of Devices” to the FD&C Act and released a guidance document providing recommendations to ensure that your cyber devices undergo appropriate post-market surveillance.
Per this new policy, you should be submitting a plan to monitor and address postmarket cybersecurity vulnerabilities in your premarket submissions (such as 510(k), De Novo, and PMA) along with other cybersecurity and software documentation. Submitting a postmarket surveillance plan for your cyber device is important since FDA has made it mandatory. All future submissions for cyber devices without a postmarket risk management plan will not pass an initial RTA check come October 1, 2023.
So, how should you effectively come up with a postmarket surveillance plan? Do you need cybersecurity testing to identify cybersecurity vulnerabilities? The answer is yes! There are ways by which we can identify cybersecurity vulnerabilities and mitigate risks as much as possible and create a plan to mitigate the foreseeable risks after FDA approval. The common way of finding these vulnerabilities is by performing “Vulnerability testing” and “Penetration testing” along with your risk analysis. You might have heard about the term vulnerability testing, but what is this Penetration testing? As the name indicates, Penetration testing characterizes security-related issues via tests that focus on discovering and exploiting security vulnerabilities in the product. By identifying these security issues, you can address the potential risks identified by the cybersecurity testing and prepare a plan to mitigate them in future.
RQMIS has successfully conducted Cybersecurity Testing (Vulnerability & Penetration) for medium- to high-risk cyber devices. Contact us today to help prepare your post-market cybersecurity surveillance plan and your Premarket submissions!