Cybersecurity Requirements for Connected Medical Devices with Software (DRAFT)
This guidance provides updates to FDA's premarket cybersecurity guidance to implement section 524B of the FD&C Act, which establishes new cybersecurity requirements for medical devices that meet the definition of cyber devices. It applies to devices that include software, can connect to the internet, and could be vulnerable to cybersecurity threats.
This is a draft guidance. Not for implementation.
What You Need to Know? 👇
What devices are considered “cyber devices” under Section 524B of the FD&C Act?
Cyber devices are medical devices that include software, have the ability to connect to the internet (through Wi-Fi, Bluetooth, USB, etc.), and contain technological characteristics that could be vulnerable to cybersecurity threats.
What documentation must manufacturers submit for cyber devices under the new FDA requirements?
Manufacturers must submit three key components: a cybersecurity monitoring and vulnerability disclosure plan, processes ensuring reasonable cybersecurity assurance, and a Software Bill of Materials (SBOM) including all commercial and open-source components.
How does FDA determine if a cyber device modification impacts cybersecurity requirements?
Changes that may impact cybersecurity include modifications to authentication, encryption algorithms, new connectivity features, or software update mechanisms. Changes unlikely to impact cybersecurity include material changes, sterilization methods, or algorithm changes without architectural modifications.
What is the difference between coordinated vulnerability disclosure and regular vulnerability management?
Coordinated vulnerability disclosure involves structured communication with external researchers and third parties about vulnerabilities, while regular vulnerability management includes internal monitoring, patching cycles, and critical out-of-cycle updates for uncontrolled risks.
How does the “reasonable assurance of cybersecurity” standard affect FDA’s device approval process?
FDA interprets reasonable assurance of cybersecurity as part of determining device safety and effectiveness. This standard applies across all premarket pathways (510(k), PMA, De Novo, HDE) and can influence substantial equivalence determinations.
What are the key differences in cybersecurity requirements for device modifications versus new submissions?
For modifications unlikely to impact cybersecurity, manufacturers can provide summary assessments and reference previous plans rather than full documentation. However, modifications that may impact cybersecurity require complete documentation as outlined in Section 524B requirements.
What You Need to Do 👇
Recommended Actions
- Determine if your device meets the “cyber device” definition
- Develop comprehensive cybersecurity monitoring and vulnerability management plans
- Implement coordinated vulnerability disclosure procedures
- Create processes for regular and urgent security updates
- Prepare and maintain a complete SBOM
- Document cybersecurity risk assessment and controls
- Establish procedures for assessing cybersecurity impact of modifications
- Consider cybersecurity of related systems and environment of use
- Maintain documentation throughout device lifecycle
- Include appropriate cybersecurity information in premarket submissions based on submission type and whether changes impact cybersecurity
Key Considerations
Software
- Must provide a Software Bill of Materials (SBOM) including commercial, open-source, and off-the-shelf components
- Software includes firmware and programmable logic
- Must have processes for monitoring and addressing postmarket cybersecurity vulnerabilities
Cybersecurity
- Must submit a plan to monitor, identify and address postmarket cybersecurity vulnerabilities
- Must implement coordinated vulnerability disclosure procedures
- Must provide updates and patches for known vulnerabilities on a regular cycle
- Must provide urgent updates for critical vulnerabilities that could cause uncontrolled risks
- Must design, develop and maintain processes to ensure device and related systems are cybersecure
Safety
- Cybersecurity assurance is considered part of the device’s safety and effectiveness determination
Other considerations
- Requirements apply to 510(k), PMA, PDP, De Novo, and HDE submissions
- Different documentation requirements for modifications that impact vs. don’t impact cybersecurity
- Must consider related systems including manufacturer-controlled elements
Relevant Guidances 🔗
- Content of Premarket Submissions for Device Software Functions
- Cybersecurity in Medical Devices: Design, Implementation, and Premarket Submissions
- Off-The-Shelf Software in Medical Devices: Documentation Requirements for Premarket Submissions
- Postmarket Management of Cybersecurity in Medical Devices
Related references and norms 📂
- NIST: Definitions and standards for software, programmable logic controllers, and cybersecurity terminology