Maryland: The FDA has issued the final guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket SubmissionsThe guidance replaces Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, issued on October 2, 2014.

This document provides recommendations on medical device cybersecurity considerations, device design and labeling, and what information to include in premarket submissions. “These recommendations are intended to promote consistency, facilitate efficient premarket review and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats,” the FDA states.

The guidance emphasizes that cybersecurity is part of device safety and the quality system requirements found in 21 CFR Part 820, which may be relevant at the premarket stage, postmarket stage or both. It provides recommendations on:

 

  • How connected devices should be tested and validated against breaches that affect multiple connected devices.
  • Provides labeling recommendations for devices with cybersecurity risks.
  • Recommends that companies develop cybersecurity management plans that communicate how they will identify and communicate postmarket vulnerabilities in accordance with 21 CFR 820.100.
  • Recommends that manufacturers provide an updateability and patchability view that describes the end-to-end process that permits software updates and patches to be provided/deployed once the device is in the field.

The guidance recommends that manufacturers use device design processes such as those described in the QS regulation to support secure product development and maintenance. But, to preserve flexibility, they may use other existing frameworks that satisfy the QS regulation and align with FDA’s recommendations for using a Security Product Development Framework (SPDF). Possible frameworks to consider include, but are not limited to, the medical device-specific framework that can be found in the Medical Device and Health IT Joint Security Plan (JSP) 30 and IEC 81001-5-1 or in ANSI/ISA 62443-4-1 Security for industrial automation and control systems Part 4- 1: Product security development life-cycle requirements.