FDA / Regulatory News
The U.S. Food and Drug Administration (FDA), based upon statutory revisions as a result of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, is implementing a certification for medical devices not exported from the United States. If certain requirements are met, a Certificate for Device Not Exported from the United States (CDNE) may be issued upon request.
A CDNE is a document prepared by the FDA that may be issued for medical devices that are manufactured outside of the United States (OUS) and are shipped to another OUS country.
A Certificate for Device Not Exported from the United States (CDNE) may be issued for medical devices manufactured outside of the United States that are:
- subject of a premarket notification under section 510(k) of the Federal Food, Drug, & Cosmetic Act (FD&C Act); or
- subject of an approved premarket approval application (PMA) under section 515(d) of the FD&C Act; or
- is the subject of an approved humanitarian device exemption under section 520(m) of the FD&C Act; or
- has been granted De Novo request under section 513(f)(2) of the FD&C Act; or
- was in commercial distribution before May 28,1976; or
- is exempt from section 510(k) of the FD&C Act, subject to the limitations of exemption
Types of medical software (Overview)
- Software as medical device(Status – Regulated)– FDA definition: medical software that is itself a medical device and is not a component, part, or accessory of a medical device
- Medical Device Data Systems (MDDS) (Status – may or may not be Regulated) – FDA definition: hardware or software products intended to transfer, store, convert formats, and display medical device data. A MDDS does not modify the data or modify the display of the data, and it does not by itself control the functions or parameters of any other medical device
- Software functions that are solely intended to transfer, store, convert formats, and display medical device data or medical imaging data, are not devices and are not subject to FDA regulatory requirements applicable to devices
- If the software modifies data or controls the functions or parameters of a device then it may be a subject to FDA regulatory requirements
- Clinical Decision Support (CDS) software (Status – may or may not be Regulated) – FDA definition: provides health care professionals (HCPs) and patients with knowledge and person-specific information, intelligently filtered or presented at appropriate times, to enhance health and health care. CDS is described as a variety of tools including, but not limited to: computerized alerts and reminders for providers and patients; clinical guidelines; condition-specific order sets; focused patient data reports and summaries; documentation templates; diagnostic support; and contextually relevant reference information.
- CDS is subject to FDA regulatory requirements if the intended use corresponds with a definition of medical device
- Mobile Medical Application (MMA) (Status – may or may not be Regulated) – FDA definition: software application that can be executed (run) on a mobile platform (i.e., a handheld commercial off the-shelf computing platform, with or without wireless connectivity), or a web-based software application that is tailored to a mobile platform but is executed on a server
- MMA is subject to FDA regulatory requirements if the intended use corresponds with a definition of medical device
Cybersecurity
Improper Authentication (when an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct) was identified as vulnerability.
The affected products are vulnerable to a network session authentication vulnerability within the authentication process between specified versions of the BD Alaris PC Unit and the BD Alaris Systems Manager. If exploited, an attacker could perform a denial-of-service attack on the BD Alaris PC Unit by modifying the configuration headers of data in transit. A denial-of-service attack could lead to a drop in the wireless capability of the BD Alaris PC Unit, resulting in manual operation of the PC Unit.
