Category: Uncategorized

Top Cybersecurity Risks Facing Connected Medical Devices

Posted on by Brandon Miller

As the healthcare industry continues to embrace digital transformation, connected medical devices are becoming more common—and more vulnerable. From insulin pumps and pacemakers to remote monitoring systems and diagnostic tools, these devices are increasingly exposed to cyber threats that can compromise patient safety, data integrity, and regulatory compliance.

 

In this blog, we explore the top cybersecurity risks facing connected medical devices and share expert insights on how manufacturers can stay ahead of evolving threats and meet global regulatory expectations.

Listen to this podcast where we take a deeper dive into the Cybersecurity risks associated with Connected Medical Devices

Late Integration of Cybersecurity in Product Development

One of the most frequent mistakes medical device manufacturers make is waiting too long to address cybersecurity. Cybersecurity should be embedded early in the medical device development lifecycle, not added as an afterthought. Delayed integration can lead to vulnerabilities that are costly to fix and may result in regulatory delays or denials.

 

Tip: Begin threat modeling immediately after defining device features to ensure secure design specifications and reduce remediation costs.

 

Incomplete Software Bill of Materials (SBOM)

A comprehensive Software Bill of Materials (SBOM) is now a regulatory requirement in both the U.S. and EU. Many companies still submit SBOMs that lack depth, omitting nested components or failing to meet machine-readable format standards. This can lead to compliance issues and increased risk exposure.

 

Tip: Include all software layers—components of components—and ensure your SBOM is both human- and machine-readable.

 

Legacy Devices with Outdated Security

Legacy medical devices often lack modern cybersecurity features such as patching capabilities, logging, and threat detection. These devices pose a significant risk, especially when integrated into hospital networks.

 

Tip: Conduct a full cybersecurity assessment of legacy devices and plan for updates or redesigns that meet current FDA cybersecurity guidance and EU MDR requirements.

 

Lack of Threat Modeling and Vulnerability Management

Without proper threat modeling, manufacturers may overlook critical vulnerabilities. Additionally, failing to maintain a coordinated vulnerability disclosure program can result in non-compliance and reputational damage.

 

Tip: Implement a secure product development framework that includes threat modeling, penetration testing, and vulnerability traceability.

 

Overexposed Physical and Network Interfaces

Ports like USB, Bluetooth, and Wi-Fi can be exploited if not properly secured. Devices with exposed service ports or debug features are particularly vulnerable to unauthorized access.

 

Tip: Use physical controls (e.g., security screws, access doors) to limit exposure. Disable unnecessary ports and implement strong authentication protocols.

 

Misalignment with Global Regulatory Requirements

With evolving guidance from the FDA, EU MDR, UK MHRA, and the Cyber Resilience Act, companies must ensure their cybersecurity practices align across markets. Misalignment can lead to costly redesigns and delayed market access.

 

Tip: Stay informed on global cybersecurity regulations and work with experts who understand regional differences and harmonization efforts.

 

Final Thoughts

Cybersecurity in connected medical devices is no longer optional—it’s a regulatory and ethical imperative. By addressing these risks early and thoroughly, manufacturers can protect patients, ensure compliance, and maintain trust in their products.

 

Ready to Strengthen Your Cybersecurity Strategy?

Regulatory Compliance Associates® (RCA) specializes in helping medical device companies navigate the complex world of cybersecurity compliance, from SBOM development and threat modeling to FDA submissions and global market access. Contact RCA today to schedule a consultation with our cybersecurity experts and ensure your device is secure, compliant, and ready for market.

FDA Expands Unannounced Inspections for Foreign Manufacturing Facilities

Posted on by Brandon Miller

Regulatory Compliance Associates® (RCA) Executive Pharma Compliance Expert & Principal Consultant, Anita Michael, recently shared important FDA updates impacting pharmaceutical manufacturers. With over 25 years of global regulatory and quality experience—including 16 years as the FDA’s Global Pharmaceutical Expert—Anita emphasizes the need for heightened inspection readiness.

 

Key FDA Updates

  • Unannounced Inspections Abroad: The FDA will now conduct unannounced inspections at foreign manufacturing facilities, similar to those already performed in the U.S. This expansion ensures drug substances, finished products, and critical excipients entering the U.S. meet safety and quality standards.
  • Rigorous Reviews: Expect science-based audits across manufacturing operations and quality systems. Companies should ensure their
  • six quality systems (Quality, Production, Laboratory, Facilities & Equipment, Materials, and Packaging/Labeling) are fully inspection-ready.
  • Pre-Approval Program Updates: The FDA has refined its pre-approval inspection focus to include:
    • Readiness for commercial manufacturing (QMS and six systems)
    • Conformance to application and data integrity requirements
    • Commitment to quality and pharmaceutical development
    • Audit preparedness and documentation management

Preparing for Compliance

  • To stay ahead, companies should:Conduct robust internal and external audits
  • Maintain a centralized FDA document repository
  • Ensure subject matter experts are prepared to address complex regulatory questions

 

Why It Matters

These changes highlight the FDA’s commitment to protecting U.S. patients by ensuring consistent global manufacturing standards. Proactive preparation will be critical for pharmaceutical companies with international facilities or partnerships.

 

Need support preparing for FDA inspections or audits? Contact RCA today to speak with our compliance experts and ensure your organization is inspection-ready.

A Regulatory Roadmap for Combination Product Submissions

Posted on by Brandon Miller

Combination product submissions require a tailored regulatory strategy that blends device, drug, and biologic requirements. The complexity increases when multiple FDA centers could be involved.

 

The journey begins with identifying the product’s primary mode of action (PMOA). This determines which FDA center will lead the review:

  • CDER: Center for Drug Evaluation and Research
  • CBER: Center for Biologics Evaluation and Research
  • CDRH: Center for Devices and Radiological Health

If the PMOA is unclear, companies can submit a Request for Designation (RFD) to the Office of Combination Products.

 

Once the lead center is determined, companies must ensure their submission addresses the regulatory requirements of both drug/biologic and device frameworks. This includes integrating device GMPs (21 CFR Part 820) with existing pharma QMS (21 CFR Part 210/211).

 

Key requirements typically include:

  • Quality system alignment with 21 CFR Part 4
  • Documentation of design controls, CAPA, and purchasing controls
  • Evidence of human factors testing for design validation
  • Management responsibility and risk management processes

Recent FDA draft guidance (e.g., on essential performance outputs) further clarifies what must be demonstrated in combination product submissions. The focus is shifting toward system-level outputs that directly impact drug delivery and therapeutic performance.

 

For companies planning international expansion, the regulatory roadmap extends beyond the U.S. CE marking under the EU MDR often requires a Notified Body Opinion confirming that the device component is adequately controlled.

 

Success starts with early planning and cross-functional alignment. Regulatory, quality, and product development teams must work together to:

  • Identify regulatory gaps
  • Align SOPs and systems
  • Develop submission-ready documentation
  • Engage proactively with regulatory bodies

Navigating the regulatory maze of combination product submissions is complex but manageable—with the right roadmap, tools, and expertise in place.

 

Work with RCA to Streamline Your Submission Process Regulatory Compliance Associates helps companies navigate the complexities of combination product submissions in both U.S. and global markets. From regulatory strategy to documentation support, RCA is your trusted partner. Reach out today to get started.

Do You Actually Have a Combination Product? Here’s How to Know

Posted on by Brandon Miller

Many companies don’t realize they have a combination product until it’s too late. With increased regulatory scrutiny from the FDA, properly identifying your product type is not just important—it’s essential for compliance, market access, and patient safety.

 

A combination product, as defined by the FDA, is a therapeutic and diagnostic product that combines drugs, devices, and/or biological products. These products can take multiple forms, including:

  • Prefilled syringes (drug + delivery device)
  • Drug-eluting stents (device coated with a drug)
  • Convenience kits (e.g., vials packaged with filters and needles)
  • Cross-labeled products (e.g., drug and device sold separately but intended for combined use)

Some of these combinations are obvious, but many are not. A product that seems like simple packaging may actually trigger combination product regulations under FDA’s 21 CFR Part 4, effective since 2013. The FDA began strict enforcement in 2014, prompting many companies to reevaluate their portfolios.

 

One of the biggest risks is operating under outdated assumptions. If your company has historically marketed a device or drug in conjunction with another regulated product, you may already be in combination product territory without knowing it.

 

If there’s uncertainty, the FDA allows companies to submit a Request for Designation (RFD). This formal process helps determine which regulatory center (CDER, CBER, or CDRH) will have primary jurisdiction over your product based on its primary mode of action (PMOA).

 

Identifying whether your product qualifies as a combination product is a foundational step. Doing so early allows for proper planning of your development pathway, avoids regulatory surprises, and helps build a robust compliance strategy.

 

Partner with Regulatory Experts Regulatory Compliance Associates (RCA) has extensive experience helping companies identify and navigate combination product requirements. Contact RCA today to ensure you’re on the right path from the start.

Design Controls for Combination Products: The Most Common Compliance Gap

Posted on by Brandon Miller

Why Design Controls Matter for Combination Products

Design controls represent one of the most significant regulatory challenges for companies entering the combination product market, especially those with a pharmaceutical or biologics background.

 

Key Regulatory Frameworks Involved

Pharma companies are well-versed in process validation under GMPs (21 CFR Part 210/211). However, combination products that include a device component require adherence to device regulations under 21 CFR Part 820, which mandates design controls.

 

What’s Required Under Design Controls?

Design controls involve structured development planning and documentation, including:

  • Design and development planning
  • User needs and design inputs
  • Design outputs and verification
  • Design validation (often including human factors/usability testing)
  • Design transfer
  • Design history files (DHF)

 

The Importance of Human Factors and Validation Testing

These are not just technicalities—they’re critical quality elements the FDA uses to determine whether a product will perform as intended when used by real patients. One of the most commonly misunderstood areas is design validation, which often requires human factors testing to confirm that the user can safely and effectively operate the device component.

 

How to Integrate Design Controls into a Pharma QMS

For many drug companies, integrating these design requirements means:

  • Creating new SOPs for design and development
  • Training teams on device regulations
  • Hiring or consulting with medical device experts

 

Get Help From Combination Product Experts

RCA offers deep expertise in integrating design controls into pharmaceutical systems. Whether you need support with SOP development, training, or validation planning, RCA is here to help. Contact us today to learn more.

Avoiding Common 503B GMP Deficiencies: Key Lessons from FDA Warning Letters

Posted on by Brandon Miller

503B outsourcing facilities play a critical role in addressing drug shortages and providing large-scale compounded medications. However, with this privilege comes the responsibility of adhering to stringent FDA regulations under Current Good Manufacturing Practices (CGMP). Repeated violations can lead to FDA warning letters, product recalls, and even shutdowns. Understanding common pitfalls is essential for maintaining compliance and ensuring patient safety.

 

In this blog, we examine some of the most frequent deficiencies cited in FDA warning letters to 503B facilities and how you can proactively prevent them.

 

Inadequate Aseptic Processing Controls

A recurring theme in FDA inspections is the failure to maintain proper aseptic technique and conditions. This includes:

  • Inadequate aseptic employee techniques
  • Improper personnel gowning and behavior
  • Poor cleanroom design and maintenance
  • Inadequate airflow and HEPA filter placement
  • Insufficient monitoring of environmental conditions
  • Poor cleaning, disinfection and sanitation controls

How to Avoid: Conduct a comprehensive GMP review of your aseptic processes, validate cleanroom performance, and implement rigorous training for all personnel involved in sterile compounding.

 

Deficient Environmental Monitoring Programs

Many facilities fall short in establishing adequate environmental monitoring (EM) protocols. Common issues include:

  • Irregular or infrequent sampling
  • Lack of meaningful trending and analysis
  • Delayed response to out-of-specification (OOS), alert and action results
  • Insufficient timely corrective actions

How to Avoid: Develop a robust EM and PM program that includes real-time data collection, regular review of trends, and timely corrective actions. Use EM data as a proactive quality tool, not just a compliance checkbox.

 

Incomplete or Inaccurate Documentation

Documentation is the backbone of GMP compliance. FDA has consistently cited 503B facilities for:

  • Missing batch records, incomplete entries and poor GDPs
  • Failure of thorough and timely deviations and investigations
  • Lack of CAPAs
  • Lack of traceability in production processes

How to Avoid: Enforce strict documentation procedures and requirements. Ensure all entries are legible, contemporaneous, original, accurate and reviewed regularly by quality assurance experts. Implement validated electronic systems where feasible to reduce human error.

 

Insufficient Process Validation

Many 503B facilities do not adequately validate their compounding processes. This includes:

  • Limited or no validation of sterile filtration and filling processes
  • Absence of complete media fill simulations
  • Failure to scientifically demonstrate repeatability and reliability of processes

How to Avoid: Develop and execute a thorough validation master plan (VMP) and perform validation studies. Conduct media fills under worst-case conditions and ensure all critical parameters are tested and documented and the facility is operating in a state of control.

 

Poor Quality Unit Oversight

The FDA expects a robust and independent quality unit (QU) to oversee all aspects of production. Common failures include:

  • QU lacking authority or involvement in decision-making
  • Quality responsibilities split among unqualified personnel
  • Inadequate review of batch records and investigations
  • Poor or incomplete quality SOPs

How to Avoid: Empower your quality unit with the necessary resources, training, and authority to act independently. Quality should not be siloed—it must be embedded into every layer of your operation.

 

Final Thoughts

503B outsourcing facilities operate under intense regulatory scrutiny, and for good reason: they are entrusted with producing high risk sterile medications on a large scale. By studying past deficiencies and strengthening internal systems, facilities can avoid the missteps that lead to enforcement actions.

 

Stay proactive, stay informed, and remember that compliance is not a one-time task—it’s an ongoing commitment to excellence.

 

Need help assessing your compliance and strengthening your quality systems? Contact RCA today to get expert guidance tailored to your facility’s needs.