Post

Cybersecurity Maintenance for Medical Devices with Off-The-Shelf Software

This guidance addresses cybersecurity considerations for medical devices that incorporate off-the-shelf (OTS) software and can be connected to private intranets or the public Internet. It clarifies how existing regulations, particularly the Quality System (QS) Regulation, apply to cybersecurity maintenance activities.

Posted
By ReguVirta
3 min read

What You Need to Know? 👇

What types of medical devices are covered by FDA cybersecurity guidance for OTS software?

This guidance applies to medical devices that incorporate off-the-shelf (OTS) software and can connect to private intranets or the public Internet. It’s primarily addressed to device manufacturers but also useful for network administrators and IT vendors.

What constitutes a cybersecurity vulnerability in networked medical devices?

A cybersecurity vulnerability exists when OTS software provides opportunities for unauthorized network or device access. These vulnerabilities can lead to unwanted software changes that may affect the medical device’s safety and effectiveness.

Who bears responsibility for cybersecurity maintenance of medical devices with OTS software?

The device manufacturer who incorporates OTS software bears full responsibility for the continued safe and effective performance of the medical device, including all OTS software components integrated into the device.

Do cybersecurity software patches require FDA premarket review before implementation?

Usually not. FDA review is only necessary when changes could significantly affect device safety or effectiveness. Most cybersecurity patches don’t require new 510(k) submissions or PMA supplements unless they change indications or affect safety/effectiveness.

Is validation required for software changes addressing cybersecurity vulnerabilities?

Yes, all software design changes must be validated according to established protocols before approval and issuance per 21 CFR 820.30(i). Analysis, inspection, and testing are typically adequate; clinical validation is usually unnecessary for cybersecurity patches.

What reporting requirements exist for cybersecurity patches under FDA regulations?

Most cybersecurity patches don’t require reporting under 21 CFR Part 806 since they reduce risk rather than address existing health risks. However, if patches affect device safety or effectiveness, manufacturers must report corrections to FDA.

What You Need to Do 👇

  1. Develop and implement a comprehensive cybersecurity maintenance plan
  2. Establish formal relationships with OTS software vendors
  3. Implement a validation process for all cybersecurity-related software changes
  4. Document all cybersecurity-related changes in the design history file
  5. Evaluate each patch for potential impact on device safety and effectiveness
  6. Determine if FDA notification is required for each cybersecurity patch
  7. Maintain records of all cybersecurity vulnerability assessments and corrections
  8. Create a process for responding to user concerns about cybersecurity vulnerabilities
  9. Establish clear procedures for delegating maintenance tasks while maintaining oversight
  10. Implement a system for monitoring and receiving information about new cybersecurity vulnerabilities

Key Considerations

Non-clinical testing

  • Software changes must be validated before approval and issuance
  • Analysis, inspection, and testing should be adequate for most cybersecurity patches
  • Clinical validation typically not necessary for cybersecurity patches

Software

  • Device manufacturers are responsible for the continued safe and effective performance of OTS software
  • Software patches must be validated according to established protocols
  • Changes must be documented in the design history file
  • A single cybersecurity maintenance plan should be developed
  • Formal business relationships should be maintained with OTS software vendors

Cybersecurity

  • Cybersecurity vulnerabilities must be addressed to prevent unauthorized access
  • Timely software patches are required to correct newly discovered vulnerabilities
  • Users should not attempt changes without manufacturer recommendations
  • Systematic analysis of vulnerabilities is required under 21 CFR 820.100

Safety

  • Actions taken should be appropriate to the magnitude of the problem and risks
  • Changes that could significantly affect safety require FDA review
  • Software patches affecting safety must be reported to FDA

Other considerations

  • New 510(k) submission usually not required for software patches
  • PMA supplements required if patches affect approved indications or safety/effectiveness
  • Maintenance responsibilities can be delegated but manufacturer maintains overall responsibility

Relevant Guidances 🔗

Related references and norms 📂

  • 21 CFR Part 820: Quality System Regulation
  • 21 CFR 807.81(a)(3): 510(k) submission requirements
  • 21 CFR 814.39: PMA supplement requirements
  • 21 CFR Part 806: Medical Device Corrections and Removals

Original guidance

  • Cybersecurity Maintenance for Medical Devices with Off-The-Shelf Software
  • HTML / PDF
  • Issue date: 2005-01-14
  • Last changed date: 2020-03-19
  • Status: FINAL
  • Official FDA topics: Medical Devices
  • ReguVirta ID: 9858b73cc09aaf07075f495447a93797
FDA guidance, Final
Medical Devices
This post is licensed under CC BY 4.0 by the author.