Analysis: FDA's Reworked Premarket Medical Device GuidanceAttorney Yarmela Pavlovic Discusses Proposed Provisions
The Food and Drug Administration's recently issued draft document updating its premarket medical device cybersecurity guidance originally issued in 2014 contains several important provisions, says regulatory attorney Yarmela Pavlovic.
"The 2014 guidance that FDA issued about premarket [cybersecurity] considerations was fairly sparse; it wasn't particularly detailed," Pavlovic notes in an interview with Information Security Media Group. "It was the first time FDA raised the issue of cybersecurity in a guidance, and it talked predominantly about the types of documents that companies should provide when submitting a marketing application to FDA."
By comparison, FDA guidance issued in 2016 for postmarket medical device cybersecurity was much more detailed, she says.
But now the recently released draft version updating FDA's premarket medical device cybersecurity guidance "rolls in quite a lot of the details that was in the postmarket guidance, but frames it in the design and development phase," she explains. "Together, the two are more cohesive."
Tiers of Risk
An important addition to the draft update guidance is the introduction of two different classifications of cybersecurity risk, she says. "That directly impacts the type of documentation that companies should provide in their submissions to FDA," she says.
In the context of the guidance, the purpose of the tiers is to drive the type of information that FDA gets to review during the premarket phase, Pavlovic explains. "So the idea is that companies would generally generate the same types of documentation, the same level of information, regardless of the type of device. But the specific risks for each device are going to determine the type of mitigations that are appropriate and how extensive those mitigations need to be.
"The idea is that FDA should be spending its time and attention when it comes to cybersecurity reviews on devices where cybersecurity could have a real and direct impact on patient safety."
In the interview (see audio link below photo), Pavlovic also discusses:
- Why a new proposal in FDA's draft guidance that would require manufacturers to make available a "cybersecurity bill of materials" is controversial;
- The significance of FDA's cybersecurity guidance documents being labeled "non-binding" and what that means for medical device manufacturers during the premarket review process by the agency;
- What to expect from FDA's cybersecurity review of "software as a medical device" and other digital health products as the agency streamlines its regulatory processes for certain products.
Pavlovic, a partner in the San Francisco office of the law firm Hogan Lovells LLP, assists medical device manufacturers in getting FDA marketing approval for their products. Previously, Pavlovic was an attorney at law firm Pepper Hamilton LLP.