Security Risk Management: An FDA Submission Victory

SITUATION

• The client filed a 510(k) submission with the FDA for a next generation medical device.
• In response, the FDA issued an information request (IR) letter, seeking clarification and pointing out gaps in the submission.
• The client had 90 days to address the FDA’s concerns with a satisfactory response, or risk delays and heightened scrutiny from a full resubmission.

Challenges

• The client had inadequate documentation for their legacy system, putting the pre-market approval of the next generation system at risk.
• The client received inadequate guidance from an external third party consultant, leading to an IR notification.
• Act swiftly to address and resolve the FDA’s concerns, ensuring a successful outcome and minimizing any potential delays in time to market.

SOLUTION

• MedAcuity conducted a thorough review of the FDA submission to identify gaps in relation to current FDA guidance.
• Updated SOPs and work instructions for the stalled submission, ensuring alignment with previous submissions and continued support.
• Collaborated with the client’s team to update their QMS, addressing critical gaps.
• Developed a security architecture and threat model.
• Performed a detailed security risk analysis.

Results

In alignment with current FDA guidance and SW96, MedAcuity

• Ensured the client could implement and verify the necessary controls and documented all activities in the Compliance Report.
• The client submitted updates addressing gaps, and the FDA accepted the resubmission, granting premarket approval.
• Another example of the effectiveness of MedAcuity’s gold-standard for security-focused remediation.