For companies in the medical device industry, the security of these devices is a critical component. With the acceleration of remote patient monitoring, medical providers and patients can benefit. Clinicians have more data and take a proactive approach to care delivery. Patients with chronic diseases can receive better outcomes. It’s an innovative and necessary piece of the future of healthcare, but this doesn’t come to fruition without medical device security.
The U.S. Food and Drug Administration (FDA) oversees the approval of medical devices and has recently instituted new laws related to cybersecurity. A big part of this is the 510(k); many manufacturers see these kicked back. So, what should you do if this occurs? Let’s find out.
What Is a 510(k) Submission to the FDA?
A 510(k) is a premarket submission made to the agency that should illustrate that the device is safe and effective for the market — it is a substantial equivalent (SE) to a legally marketed device.
The process involves comparing the device up for clearance to one or more similar ones. Based on the claims in the 510(k), the FDA can render a device SE. Until this occurs, the makers of it cannot proceed to market. The decision usually occurs within 90 days. It’s the most common pathway to market for medical devices.
A device would be a SE if, when compared to a predicate, it has:
- The same intended use and technological characteristics of a predicate, or
- The same intended use with different technical attributes that doesn’t raise new questions on safety and effectiveness, and the submission to the FDA demonstrates the device is safe and effective.
While most organizations apply the FDA rules to their submission, the agency often kicks these back if they deem it not meeting the requirements.
The key components of a 510(k) are safety and effectiveness. Safety would include the device being able to meet cybersecurity standards. The new laws from the FDA make the storyline of security front and center.
New FDA Laws Require Cybersecurity Standards
After numerous security issues with medical devices, the FDA has taken new action relating to cybersecurity standards. As a result of a stream of breaches, which are unfortunately commonplace in healthcare, the FDA updated Section 524B of the Food, Drug, and Cosmetic Act (FD&C Act). The new rules state that all regulatory submissions for medical devices must provide information regarding four core cybersecurity requirements. Enforcement of this begins October 1, 2023.
The requirements include:
- Submission of plans outlining how the company will track and address cybersecurity issues that occur after the device is on the market
- Implementing internal procedures focused on medical device security and ensuring that patches and updates are distributed after identifying vulnerabilities
- Development of a “software bill of materials” that would be part of their FDA filings and must encompass all software components in the device
- Compliance with yet-to-be-created rules that will establish more requirements around being cyber secure
Additionally, federal agencies have work to do on their end. The law requires that the FDA and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) collaborate on updating medical device cybersecurity guidance.
The updated laws are just another element of FDA clearance, which often starts with the 510(k). What must your submission include to ensure acceptance?
What Does a 510(k) Submission Include?
A 510(k) submission is not an easy process. It must encompass a lot of data and documentation. You also have to use the correct templates and decipher FDA guidelines. You’ll also need to complete the Refusal to Accept (RTA) checklist, which consists of what the FDA uses to determine if your device meets the minimum threshold to review. It’s 56 questions.
Even after all this hard work, you may receive a rejection. So, why might the FDA deny your submission?
Most Common Reasons for a Rejected 510(k) Submission
The FDA recently did an analysis of issues in the submission process. They looked at two cohorts — one for quality and another to assess why review cycles were increasing. In the first cohort, they discovered that 83% had at least one deficiency relating to quality. Cohort 2 had similar findings, with 82% having such a problem. Much of the time, the FDA needs more information and will request it.
Quality problems are prevalent, and the report listed these deficiency categories:
- Inadequate device description. The description must clearly state what the device should do. Without it, the process can’t move forward.
- Discrepancies throughout the submission. These can vary but are most often related to device description or indications for use.
- Problems with indications of use. For a device to be found substantially equivalent, it must have the same indications for use as the device already in the market, or any differences cannot alter the intended use. Performance data is the evidence for this.
- Failing to follow or address current guidance documents or recognized standards. The FDA issues guidance and recognizes standards to help manufacturers. Not aligning with this will kick back your 510(k).
- Performance testing is incomplete or missing. Performance testing is a requirement for 510(k) submissions. Omitting it or not providing enough of it causes a rejection.
- Clinical data for the device is missing. For some device types, the FDA mandates clinical data. If your product falls into this category, you must have it as part of your submission.
There are other reasons your 510(k) may not meet the requirements of the FDA, such as:
- Not using the correct FDA templates
- Failure to follow and/or complete the RTA checklist
- Selecting the incorrect predicate device for the submission
- Skipping sections that don’t apply by leaving them blank
Another leading reason for a 510(k) kickback relates to cybersecurity and the guidelines of the FDA regarding securing medical devices.
The Cybersecurity Requirements for 510(k)
A 510(k) must include the information defined in the new guidance addressed earlier. It states explicitly that cybersecurity requirements must accompany the premarket submission for products that meet the “cyber device” definition under Section 524B(c). They define a cyber device as one that contains software “validated, installed, or authorized by the sponsor as a device,” can connect to the internet, and has technological characteristics that would leave it vulnerable to cyber threats.
The submission must include how you will monitor, identify, and address cybersecurity vulnerabilities once the device is on the market. You also must create a cyber secure program, make patches and updates available, and include the software bill of materials.
As cybersecurity becomes a larger risk to the medical device industry, the FDA will become more stringent and rigid on approvals if these requirements go unmet.
So, what do you do if the FDA rejects your premarket submission?
What to Do if the FDA Kicks Back Your 510(k)
Making a plan to resubmit depends on why the submission didn’t meet the requirements. It could be an administrative thing like templates. You could be missing essential data or the checklist or using the wrong predicate device. Discrepancies can also hinder your submission. If faced with these reasons, you’ll have to fill in what you’re lacking. It could be small, minor changes or others that are more widespread. It will require consultation and review by your internal team and legal counsel.
If the rejection relates to cybersecurity, you could have a bigger issue. You’ll want to collaborate with a cyber firm specializing in medical devices to collaborate with your programmers and IT teams. From there, they’ll need to evaluate the submission in comparison to the requirements of the FDA to see where the gaps are.
In many cases, the problems relate to a lack of clarity of completeness around how you’ll address cybersecurity issues after the device is in use or a cyber secure program being too ambiguous. So, how do you fix these things? Often, it requires a fundamental shift in how you manage and think about cybersecurity.
The key to addressing these errors is developing a cyber program that is constantly evolving and adhering to compliance guidelines. It’s more than just the submission of a strategy or plan; it’s about how you’ll execute it, which should involve cybersecurity assessments and pen testing.
How Cybersecurity Assessments and Pen Testing Support 510(k) Submissions
Hiring an experienced cyber firm to help you with your submission and medical device security program will keep you on track to approval. You’ll be working with experts who understand the FDA requirements for your 510(k) premarket and postmarket submissions. They’ll perform the assessment and pen testing in alignment with FDA guidelines. It’s the best and most accurate way to understand vulnerabilities and how to resolve them to ensure you meet the FDA conditions.
After an initial assessment, pen testing, and strategy development, you’ll be able to resubmit your 510(k) with confidence. But your commitment to cybersecurity doesn’t stop there. You should do regular vulnerability assessments and pen tests, as they will keep you in compliance with the FDA’s protocols.
If you need help with a 510(k) submission or resubmission, we can help. We’re medical device security experts. Get started by scheduling a discovery call today.