FDA Issues Final Guidance on Cybersecurity in Medical Devices
The FDA has issued the final guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. The guidance replaces Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, issued on October 2, 2014.
This document provides recommendations on medical device cybersecurity considerations, device design and labeling, and what information to include in premarket submissions. “These recommendations are intended to promote consistency, facilitate efficient premarket review and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats,” the FDA states.
The guidance emphasizes that cybersecurity is part of device safety and the quality system requirements found in 21 CFR Part 820, which may be relevant at the premarket stage, postmarket stage or both. It provides recommendations on:
- How connected devices should be tested and validated against breaches that affect multiple connected devices.
- Provides labeling recommendations for devices with cybersecurity risks.
- Recommends that companies develop cybersecurity management plans that communicate how they will identify and communicate postmarket vulnerabilities in accordance with 21 CFR 820.100.
- Recommends that manufacturers provide an updateability and patchability view that describes the end-to-end process that permits software updates and patches to be provided/deployed once the device is in the field.
The guidance recommends that manufacturers use device design processes such as those described in the QS regulation to support secure product development and maintenance. But, to preserve flexibility, they may use other existing frameworks that satisfy the QS regulation and align with FDA’s recommendations for using a Security Product Development Framework (SPDF). Possible frameworks to consider include, but are not limited to, the medical device-specific framework that can be found in the Medical Device and Health IT Joint Security Plan (JSP) 30 and IEC 81001-5-1 or in ANSI/ISA 62443-4-1 Security for industrial automation and control systems Part 4- 1: Product security development life-cycle requirements.
The agency will host a webinar on November 2, 2023,for industry and other stakeholders interested in learning more about this guidance.
Related Articles
-
Magnetic resonance imaging (MRI) helps discover serious threats early and in a precise and painless way. However, patient safety may be in danger when medical implants interact with the electromagnetic environment. The developers of such implants are obliged to check…
-
The updated guidance clarifies how the program applies to medical devices that may address health inequities, as well as those that may increase access to care or provide a non-addictive treatment option to treat pain or addiction. It also clarifies…
-
Point of care 3D printing of medical devices has abundant potential. However, many regulatory uncertainties remain.
-
AAMI and the British Standards Institute (BSI) have jointly published new guidance documents on performing risk management for machine learning or artificial intelligence incorporating medical devices.
