Cybersecurity Maintenance for Medical Devices with Off-The-Shelf Software
This guidance addresses cybersecurity considerations for medical devices that incorporate off-the-shelf (OTS) software and can be connected to private intranets or the public Internet. It clarifies how existing regulations, particularly the Quality System (QS) Regulation, apply to cybersecurity maintenance activities.
Recommended Actions
- Develop and implement a comprehensive cybersecurity maintenance plan
- Establish formal relationships with OTS software vendors
- Implement a validation process for all cybersecurity-related software changes
- Document all cybersecurity-related changes in the design history file
- Evaluate each patch for potential impact on device safety and effectiveness
- Determine if FDA notification is required for each cybersecurity patch
- Maintain records of all cybersecurity vulnerability assessments and corrections
- Create a process for responding to user concerns about cybersecurity vulnerabilities
- Establish clear procedures for delegating maintenance tasks while maintaining oversight
- Implement a system for monitoring and receiving information about new cybersecurity vulnerabilities
Key Considerations
Non-clinical testing
- Software changes must be validated before approval and issuance
- Analysis, inspection, and testing should be adequate for most cybersecurity patches
- Clinical validation typically not necessary for cybersecurity patches
Software
- Device manufacturers are responsible for the continued safe and effective performance of OTS software
- Software patches must be validated according to established protocols
- Changes must be documented in the design history file
- A single cybersecurity maintenance plan should be developed
- Formal business relationships should be maintained with OTS software vendors
Cybersecurity
- Cybersecurity vulnerabilities must be addressed to prevent unauthorized access
- Timely software patches are required to correct newly discovered vulnerabilities
- Users should not attempt changes without manufacturer recommendations
- Systematic analysis of vulnerabilities is required under 21 CFR 820.100
Safety
- Actions taken should be appropriate to the magnitude of the problem and risks
- Changes that could significantly affect safety require FDA review
- Software patches affecting safety must be reported to FDA
Other considerations
- New 510(k) submission usually not required for software patches
- PMA supplements required if patches affect approved indications or safety/effectiveness
- Maintenance responsibilities can be delegated but manufacturer maintains overall responsibility
Relevant Guidances
- Cybersecurity for Networked Medical Devices with Off-The-Shelf Software
- Cybersecurity in Medical Devices: Design, Implementation, and Premarket Submissions
- Postmarket Management of Cybersecurity in Medical Devices
- Content of Premarket Submissions for Device Software Functions
- Off-The-Shelf Software in Medical Devices: Documentation Requirements for Premarket Submissions
Related references and norms
- 21 CFR Part 820: Quality System Regulation
- 21 CFR 807.81(a)(3): 510(k) submission requirements
- 21 CFR 814.39: PMA supplement requirements
- 21 CFR Part 806: Medical Device Corrections and Removals
Original guidance
This post is licensed under CC BY 4.0 by the author.