Post

Cybersecurity Requirements for Connected Medical Devices with Software (DRAFT)

This guidance provides updates to FDA's premarket cybersecurity guidance to implement section 524B of the FD&C Act, which establishes new cybersecurity requirements for medical devices that meet the definition of cyber devices. It applies to devices that include software, can connect to the internet, and could be vulnerable to cybersecurity threats.

This is a draft guidance. Not for implementation.

  1. Determine if your device meets the “cyber device” definition
  2. Develop comprehensive cybersecurity monitoring and vulnerability management plans
  3. Implement coordinated vulnerability disclosure procedures
  4. Create processes for regular and urgent security updates
  5. Prepare and maintain a complete SBOM
  6. Document cybersecurity risk assessment and controls
  7. Establish procedures for assessing cybersecurity impact of modifications
  8. Consider cybersecurity of related systems and environment of use
  9. Maintain documentation throughout device lifecycle
  10. Include appropriate cybersecurity information in premarket submissions based on submission type and whether changes impact cybersecurity

Key Considerations

Software

  • Must provide a Software Bill of Materials (SBOM) including commercial, open-source, and off-the-shelf components
  • Software includes firmware and programmable logic
  • Must have processes for monitoring and addressing postmarket cybersecurity vulnerabilities

Cybersecurity

  • Must submit a plan to monitor, identify and address postmarket cybersecurity vulnerabilities
  • Must implement coordinated vulnerability disclosure procedures
  • Must provide updates and patches for known vulnerabilities on a regular cycle
  • Must provide urgent updates for critical vulnerabilities that could cause uncontrolled risks
  • Must design, develop and maintain processes to ensure device and related systems are cybersecure

Safety

  • Cybersecurity assurance is considered part of the device’s safety and effectiveness determination

Other considerations

  • NIST: Definitions and standards for software, programmable logic controllers, and cybersecurity terminology

Original guidance

  • Cybersecurity Requirements for Connected Medical Devices with Software
  • HTML / PDF
  • Issue date: 2024-03-13
  • Last changed date: 2024-03-12
  • Status: DRAFT
  • Official FDA topics: Medical Devices, Premarket, Biologics
  • ReguVirta summary file ID: d35f906213efe7022e50bfe9f8910dae
This post is licensed under CC BY 4.0 by the author.