Cybersecurity Expert Says eSTAR Requirement Will Push FDA, Industry In Positive Direction
Executive Summary
Medcrypt cybersecurity expert tells Medtech Insight that FDA requirements that launch on 1 October will push the industry as well as the agency in a positive direction.
Cybersecurity expert Naomi Schwartz is looking forward to October.
Beginning 1 October, the Food and Drug Administration will begin requiring electronic Submission Template And Resource (eSTAR) forms for 510(k) submissions. The use of the eSTAR system is currently voluntary. (Also see "Device Recalls Up, Manufacturing Defects Called The Culprit" - Medtech Insight, 6 Jul, 2023.)
Schwartz, who is the senior director of cybersecurity quality and safety at device cybersecurity firm Medcrypt, believes that eSTAR will be a “paradigm shift” for the FDA submissions. Medcrypt offers consulting services for medical device manufacturers (MDM) navigating the eSTAR filing process, RTA decisions and FDA submission readiness.
eSTAR is an interactive PDF that acts as an electronic submission template. The template walks manufacturers through each piece of the submission and “spoon-feeds [manufacturers] step-by-step,” Schwartz said.
The final eSTAR guidance was released in September 2022. (Also see "FDA Finalizes Electronic Submissions Guidance" - Medtech Insight, 21 Sep, 2022.)
“If you do an appropriate job and fill everything in completely and honestly in the eSTAR template, you will know that you've got the material you need,” she said.
Schwartz acknowledged that the 1 October deadline may be intimidating, but she urged MDMs not to rush device submissions to avoid the requirements.
She recommended that device company regulatory experts meticulously study the eSTAR form, since choosing different answers on the PDF will populate different areas of the form.
Schwartz gave Medtech Insight an example: If a sponsor identifies an electronic interface in their device, the PDF “will automatically populate the need for cybersecurity data, which is a very comprehensive set of questions that get asked for cybersecurity.”
If that section is missed, the cybersecurity questions will not show up on the form, which is one reason why Schwartz believes that it’s critical to understand each piece of the form before filling it out.
She acknowledged that eSTAR may “throw a wrench in people’s submissions processes for a bit.” For instance, only one person can work on the form at a time.
Also on 1 October, FDA will also begin to issue Refusal to Accept (RTA) decisions based on the cybersecurity requirements outlined in section 524B of the Food, Drug and Cosmetics Act. These requirements were outlined in the Consolidated Appropriations Act of 2023 and include the submissions of software bills of materials (SBOMs) and other cybersecurity requirements. (Also see "‘Refuse to Accept’ Decisions For Cyber Devices To Begin In October" - Medtech Insight, 29 Mar, 2023.)
RTA decisions aren’t based on whether a submission is adequate for approval, but simply whether it is complete. The eSTAR template should theoretically eliminate the need for RTA decisions, Schwartz said.
More Confidence In The Agency And Industry
Smaller companies may not have the resources or internal cybersecurity expertise to properly meet the 1 October requirements. In these scenarios, Schwartz recommended hiring outside help.
“Companies are going to have to hire somebody who actually has some background in cybersecurity and who can receive training that is in line with FDA's expectations,” she said.
Even though compliance can be a challenge, the changes are going to shift the industry in a positive direction and will make MDMs think about cybersecurity as an integral part of the total product lifecycle, Schwartz believes.
The new requirements will also “motivate FDA to hire more skilled professionals in the space, which means manufacturers will see a more consistent review across the agency,” she said.
Larger companies with devices reviewed by multiple offices across the FDA will see more consistency between reviewers, which Schwartz said will make the submission process “more transparent and predictable,” allowing MDMs to start building their products more securely since they “understand what’s expected.”
As another advantage, the increased predictability and quality tied to the eSTAR overhaul may give device users more confidence in the FDA and MDMs as well, Schwartz believes.