Contact Us
  • FDA's Additional Information (AI) Requests

Example #15: Inadequate Information on the Confidentiality Controls used to Protect the Device

A promotional banner for a tech device series event by The Device Show Experience and C2.
By Robert Rajewski, President, CriTech Research, Inc.
Here’s this week’s example of an Additional Information Request (AI Request):

FDA Additional Information Request – Example #15: Inadequate Information on the Confidentiality Controls used to Protect the Device

You did not provide documentation on the cybersecurity controls used to provide adequate information on the confidentiality controls used to protect the device.

Adequate confidentiality controls are important to comply with the requirements specified in section 524B(b)(2) of the Federal Food, Drug, and Cosmetic Act to provide a reasonable assurance that the device and related systems are cybersecure. It is also consistent with recommendations in Section 5 of the FDA guidance document “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” that manufacturers ensure capability of secure data transfer to and from the device, and when appropriate, use methods for encryption.

Inadequate confidentiality controls can lead to the exposure of information or commands transmitted to or from the device whose plaintext form could expose commands or information which could be used to impact device safety and effectiveness.

Therefore, please provide a description of the confidentiality controls implemented for securing data transfer to and from the device. For encryption algorithms, please provide a detailed justification for how the algorithm(s) used provide sufficient security based on the risk of the asset.

In this example, the manufacturer didn’t provide documentation on confidentiality controls implemented by the device. 

The goal of Confidentiality is to prevent unauthorized disclosure of information.  The threats addressed include data breaches, eavesdropping, social engineering, and insider leaks.

Confidentiality controls include documenting encryption algorithms to eliminate plaintext transmissions exposing commands or information which could be used to impact device safety and efficacy.  The manufacturer is responsible to provide detailed justification for how the encryption algorithms provide sufficient security based on the risk of the asset.

The FDA is requesting the manufacturer to provide a description of the confidentiality controls implemented for securing data transfer to and from the device.  In addition, for encryption algorithms, the FDA is requesting a detailed justification for how the algorithm(s) used provide sufficient security based on the risk of the asset.

Examples of Controls:

  • Access Control
    • Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC)
    • Least privilege principle and need-to-know restrictions
  • Authentication & Authorization
    • MFA (Multi-Factor Authentication)
    • Strong password policies, biometric verification
  • Encryption
    • Data-at-rest encryption (e.g., AES-256)
    • Data-in-transit encryption (e.g., TLS 1.3)
  • Data Masking & Tokenization
    • Mask sensitive fields (e.g., SSN, credit card number) in logs and screens
  • Network Security
    • VPNs, secure network segmentation, intrusion prevention systems (IPS)
  • User Awareness & Training
    • Phishing prevention education, insider threat awareness

Should you happen to receive an FDA AIR related to software as part of your submission, CriTech is here to help. Contact us any time.

Contact Us
Linkedin

Follow us on LinkedIn to find out when the next example of our FDA AIRs series is released.

View All Media