This message was posted by a user wishing to remain anonymous
Dear RAPS members,
I am trying to understand the FDA guidance "Deciding-When-to-Submit-a-510(k)-for-a-Software-Change-to-an-Existing-Device---Guidance-for-Industry-and-Food-and-Drug-Administration-Staff" and need your help.
As per the guidance document, if a change is made solely to strengthen cybersecurity it is not likely to require submission of a new 510(k). If a vulnerability is fixed to prevent unauthorized access and the fix has no impact on the clinical safety code of the software, is it considered solely strengthening the cybersecurity?
For example: If an unauthorized actor gains access to an Insulin pump (may try to modify dosing) and that unauthorized access vulnerability is being fixed. Does it trigger a submission, even if the security fix only impacts the security code of the device?
Thanks in advance.