November 2023 – Making Sense of FDA’s Latest Cybersecurity Guidance for Medical Devices including the Predetermined Change Control Plan (PCCP).
Everyone knows that cybersecurity has become a big issue for medical devices, but unless you have a background in security, it can be difficult to understand what’s required. And a lot is required now. Starting October 1st, the rules changed for FDA submissions in multiple ways because of cybersecurity requirements. First, FDA released their new final cybersecurity guidance in September 2023 ( Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions ), which replaces earlier guidances. Second, the FDA now has Refuse To Accept (RTA) authority for inadequate cybersecurity content in submissions (translation: if something’s missing, they won’t even read it). Third, with the mandatory use of the eSTAR submission software, you won’t be able to even complete your submission without adequate cybersecurity content.
This can seem overwhelming to medical device companies already struggling to keep up with all the other areas of regulation (biocompatibility, usability, labeling, etc.). The good news is that there is now lots of information available to help you implement and document cybersecurity. However, if you don’t understand the key concepts in cybersecurity, you’ll have a hard time interpreting all the guidance information. So I’ve written this post to help newcomers to medical device cybersecurity start with the right mindset and key concepts (written with a nautical theme): An Introduction to Medical Device Cybersecurity on the High Seas.
And for those who already know the basics, look at this post: Getting Started with the New FDA Cybersecurity Guidance, which is an overview of the new FDA cyber guidance with links I’ve collected to expert online content.
Watch Out for Paradigm Shifts
Over the past 10+ years, there’s been a big change in how medical device cybersecurity is managed:
- Old paradigm: the hospital (customer) will manage cybersecurity. Manufacturers could assume that hospitals would provide a secure environment for all connected medical devices (perimeter security).
- New paradigm: cybersecurity depends on a partnership between medical device manufacturers and their customers. Manufacturers must incorporate security by design in their products and practice security in operation in supporting those products for them to remain secure.
Predetermined Change Control Plan (PCCP)
This year, the FDA has introduced a lot of new rules (guidances) for medical device companies. Fortunately, they have also introduced a valuable new tool to make life a little easier: the Predetermined Change Control Plan (PCCP). A PCCP allows companies to make changes to their products within pre-approved areas (“focused and bounded” changes) without re-submitting to the FDA. For details, here is the summary from FDA: Notes on guiding principles for PCCP (APR 2023).
This draft FDA guidance describes using PCCPs for medical devices with Machine Learning/AI features: Predetermined Change Control Plan for Artificial Intelligence/Machine Learning (AI/ML) Enabled Device Software Functions (APR 2023). Important: PCCPs apply to many other changes for medical devices that don’t incorporate AI/ML features.
For a practical overview of the advantages and limitations of PCCPs, I recommend this webinar from RQM+ consultants: Showcasing FDA’s Latest Pre-Sub Guidance and Uncovering PCCP Best Practices (JUN 2023).
Unpacking FDA Guidance: Quality System Considerations and Content of Premarket Submissions – Medcrypt webinar on the new FDA cybersecurity guidance – Oct 12, 2023
FDA webinar: Cybersecurity in Medical Devices – The FDA presented a webinar discussing the new guidance on November 2, 2023. The first 30 minutes are just a straightforward walkthrough of the new guidance. The remaining 60 minutes are Q&A, which I found most interesting. (recording to be posted to their website shortly)
I will describe the advantages of using Adaptive Design Controls in your QMS for managing complex, software-intensive medical devices in a webinar hosted by Orcanos next month. Stay tuned for time and date.