In today’s marketplace, technology evolves at a rapid rate, and must adapt to changing circumstances, such as threats to cybersecurity. For device companies, some types of modifications to devices post-market − potentially including cybersecurity-related changes − are reportable to the FDA. In particular, corrections to devices already in the field trigger FDA reporting under 21 C.F.R. Part 806.
What do device manufacturers need to know to understand their obligations under Part 806? The reporting threshold is whether a correction or removal is initiated “to reduce a risk to health” or to remedy a violation of FDA law “which may present a risk to health.”
A correction is a repair, modification, adjustment, relabeling, destruction, or inspection of a device without its physical removal from its point of use. A correction may be made on site (e.g., through a service visit), or remotely (e.g., by pushing out system upgrades electronically). Removal, in contrast, involves pulling back product from its point of use.
A risk to health means (1) a “reasonable probability” that the product “will cause serious adverse health consequences or death”; or (2) the potential for “temporary or medically reversible adverse health consequences, or an outcome where the probability of serious adverse health consequences is remote.”
When is a change to a device reportable under Part 806?
The line between a reportable correction and a non-reportable product enhancement can be ambiguous. In 2014, the FDA issued its Final Recall and Enhancement Guidance, aiming to clarify the types of device changes that trigger Part 806 reporting. This guidance did not directly address device changes that concern cybersecurity threats.
With rising awareness of the potential impact of cyberattacks and security oversights, the FDA explicitly addressed the applicability of Part 806 in its 2016 Draft Postmarket Cybersecurity Guidance. This guidance addresses (1) medical devices that contain software (including firmware) or programmable logic; and (2) software that is a medical device. It asserts that manufacturer obligations now include monitoring, identifying, and addressing cybersecurity vulnerabilities throughout the product lifecycle.
The FDA underscores key postmarketing responsibilities − the Quality System Regulation (QSR), Part 806, and PMA and 510(k) reporting and filing obligations − and their role in preventing and rapidly responding to cybersecurity threats. With respect to Part 806 specifically, the agency states that most “cybersecurity routine updates or patches” will not trigger Part 806 reporting as a correction. Rather, the FDA will typically consider changes that are made solely to strengthen cybersecurity to be “device enhancements” and thus not reportable.
The 2016 FDA guidance leaves open, however, the possibility that changes made to prevent or remedy certain cybersecurity vulnerabilities and exploits will trigger Part 806 reporting. For example, changes made or other actions taken to address “uncontrolled risk” to “essential clinical performance” would generally be subject to Part 806 reporting requirements. The guidance provides some key definitions:
- A “vulnerability” is defined as a weakness in a system, security procedure, control, or implementation that leaves IT open to exploitation by a “threat.”
- An "exploit" means the vulnerability has either accidentally or intentionally been taken advantage of, “and could impact the essential clinical performance of a medical device or use a medical device as a vector to compromise the performance of a connected device or system.”
- “Threats” are circumstances or events with the potential to adversely impact “the essential clinical performance of the device, organizational operations…organizational assets, individuals, or other organizations.”
Not all such scenarios require reporting. The agency does not intend to enforce reporting requirements if:
1) there are no known serious adverse events or deaths associated with the vulnerability
2) within 30 days of learning of the problem, the manufacturer’s changes or compensating controls bring the residual risk to an acceptable level
3) within 30 days of learning of the problem, the manufacturer notifies users and
4) the manufacturer is a participating member of an Information Sharing Analysis Organization.
While the cybersecurity guidance is in draft form, it nonetheless lends insight into the way the agency may apply existing postmarket regulatory requirements (e.g., Part 806) to evolving cybersecurity-related technological issues. As a result, it is prudent for device manufacturers to initiate a dialogue now among their IT, regulatory, quality, and legal teams, and to ensure that these stakeholders are aware of planned changes and upgrades and their potential impact on FDA reporting obligations.