Cybersecurity Requirements for Connected Medical Devices with Software (DRAFT)
This guidance provides updates to FDA's premarket cybersecurity guidance to implement section 524B of the FD&C Act, which establishes new cybersecurity requirements for medical devices that meet the definition of cyber devices. It applies to devices that include software, can connect to the internet, and could be vulnerable to cybersecurity threats.
This is a draft guidance. Not for implementation.
Recommended Actions
- Determine if your device meets the “cyber device” definition
- Develop comprehensive cybersecurity monitoring and vulnerability management plans
- Implement coordinated vulnerability disclosure procedures
- Create processes for regular and urgent security updates
- Prepare and maintain a complete SBOM
- Document cybersecurity risk assessment and controls
- Establish procedures for assessing cybersecurity impact of modifications
- Consider cybersecurity of related systems and environment of use
- Maintain documentation throughout device lifecycle
- Include appropriate cybersecurity information in premarket submissions based on submission type and whether changes impact cybersecurity
Key Considerations
Software
- Must provide a Software Bill of Materials (SBOM) including commercial, open-source, and off-the-shelf components
- Software includes firmware and programmable logic
- Must have processes for monitoring and addressing postmarket cybersecurity vulnerabilities
Cybersecurity
- Must submit a plan to monitor, identify and address postmarket cybersecurity vulnerabilities
- Must implement coordinated vulnerability disclosure procedures
- Must provide updates and patches for known vulnerabilities on a regular cycle
- Must provide urgent updates for critical vulnerabilities that could cause uncontrolled risks
- Must design, develop and maintain processes to ensure device and related systems are cybersecure
Safety
- Cybersecurity assurance is considered part of the device’s safety and effectiveness determination
Other considerations
- Requirements apply to 510(k), PMA, PDP, De Novo, and HDE submissions
- Different documentation requirements for modifications that impact vs. don’t impact cybersecurity
- Must consider related systems including manufacturer-controlled elements
Relevant Guidances
- Content of Premarket Submissions for Device Software Functions
- Cybersecurity in Medical Devices: Design, Implementation, and Premarket Submissions
- Off-The-Shelf Software in Medical Devices: Documentation Requirements for Premarket Submissions
- Postmarket Management of Cybersecurity in Medical Devices
Related references and norms
- NIST: Definitions and standards for software, programmable logic controllers, and cybersecurity terminology
Original guidance
This post is licensed under CC BY 4.0 by the author.