Here’s this week’s example of an Additional Information Request (AI Request):
FDA Additional Information Request – Example #9: Missing Documentation on the Cybersecurity Controls used to Protect the Device
You did not provide documentation on the cybersecurity controls used to protect the device.
Adequate authentication controls are important to comply with the requirements specified in section 524B(b)(2) of the Federal Food, Drug, and Cosmetic Act to provide a reasonable assurance that the device and related systems are cybersecure. It is also consistent with recommendations in Section 5 of the FDA guidance document “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” (https://www.fda.gov/media/86174/download) that cybersecurity functions, including authentication controls, be included in the device. Specifically, this guidance recommends manufacturers address the following related to authentication:
- Strengthen password protection by avoiding “hardcoded” password or common words (i.e., passwords which are the same for each device, difficult to change, and vulnerable to public disclosure) and limit public access to passwords used for privileged device access;
- Limit access to devices through the authentication of users (e.g., user ID and password, smartcard, biometric); and
- Use appropriate authentication (e.g., multi-factor authentication to permit privileged device access to system administrators, service technicians, maintenance personnel).
Therefore, please provide updated documentation to address these concerns.
In this example, the company neglected to include the required cybersecurity control information to the FDA in its 510(k) submission.
In particular, the FDA was asking the company to avoid “hardcoded” passwords and limit public access to the superusers password. The company’s requirements discussed the hardcoded passwords for various user levels, which were fixed text strings, and the service manual published the hardcoded passwords. The service manual made its way to the internet where the “hardcoded” are easily looked up.
The device also only supports a few levels of user, without any identification of who each of the users are and their associated password, which is a problem when a user is no longer with the company. Each user logs in based on one of four categories of users, whose passwords are hardcoded.
The FDA goes on to advise using appropriate authentication to ensure only privileged users are permitted access to system administrator, service technician, or maintenance features.
The FDA placed the submission “On Hold” until after the issues were resolved and the company resubmitted the documentation and related testing proving the changes were safely and effectively implemented.
Please follow us to see more examples of AI Requests – a new one is released every week.
Should you receive an Additional Information Request from the FDA, CriTech is here to help. Please give us a call to discuss and we’ll help you craft what you need to do going forward.