Here’s this week’s example of an Additional Information Request (AI Request):
FDA Additional Information Request – Example #12: Missing Documentation on Differentiating Privileges Based on User Roles Required to Protect the Device Cybersecurity
You did not provide documentation on the cybersecurity controls used to protect the device.
Adequate authorization controls are important to comply with the requirements specified in section 524B(b)(2) of the Federal Food, Drug, and Cosmetic Act to provide a reasonable assurance that the device and related systems are cybersecure. It is also consistent with recommendations in Section 5 of the FDA guidance document “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” that cybersecurity functions, including authorization controls, be included in the device.
Specifically, this guidance recommends that where appropriate, manufacturers employ a layered authorization model by differentiating privileges based on the user role (e.g., caregiver, system administrator) or device role.
Therefore, please provide a description of how authorization is addressed in the design and define the privileges each role has on the device, including any differences in available connectivity. Additionally, please provide what authentication processes are associated with each authorization level.
In this example, the company neglected to provide the required cybersecurity control information to the FDA in its 510(k) submission. Specifically, the FDA is looking for how the medical device company employed a layered authorization model, where various user roles have different privileges.
FDA put the submission “On Hold” until the medical device company described how authorization is handled by the design and defines the privileges of each user role has on the device. The agency is also concerned with any differences various user roles have with connectivity to the outside world. Lastly, the agency is asking for documentation related to the authentication processes associated with each authorization level.
Please follow us to see more examples of AI Requests – a new one is released every week.
Should you receive an Additional Information Request from the FDA, CriTech is here to help. Please give us a call to discuss and we’ll help you craft what you need to do going forward.