August 19, 2015

FDA Takes GUDID Offline: Security breach? Or Proactive Measures? AssurX QMSFDA detected a “security vulnerability” earlier this month that spooked it enough to take the highly-touted Global Unique Device Identification Database (GUDID) offline until it was able to affix, electronically, a suitable security patch. The GUDID Offline announcement came via guidance dated August 14.

FDA hasn’t issued any other details about what happened or didn’t happen. Is FDA reacting to something bad or being proactive to avoid something bad? Unless and until the agency steps forward with more information, we’re left to hope and trust they’ve got this under control. Chances are, the agency identified a tiny glitch and went overboard on purpose to address it.

According to the FDA’s Guidance Document:

“On August 7, 2015, due to a security vulnerability in GUDID, FDA decided to take the system offline until a patch is implemented. Due to the temporary unavailability of the GUDID system, we intend to exercise enforcement discretion to extend the September 24, 2015, GUDID submission compliance date for the implantable, life-supporting and life-sustaining medical devices to October 24, 2015. For extensions granted to class III labelers that expire between August 7 and September 24, 2015, we also intend to exercise enforcement discretion to extend the expiration date of these extensions to October 24, 2015.”

On a positive note, at least for the kind of medical device companies that do everything at the last minute, the agency acknowledges that taking the system offline might have derailed some attempts to interact with the GUDID and meet compliance deadlines. So, class III device makers whose compliance extension was September 24, 2015, will now have until October 24. That’s the same extension granted to class III labelers whose extensions expire between August 7 and Sept. 25, 2015.