Cybersecurity for Networked Medical Devices with Off-The-Shelf Software
This guidance addresses cybersecurity considerations for networked medical devices that contain Off-The-Shelf (OTS) software. It specifically covers medical devices that use OTS software, can connect to networks (private intranet or public Internet), and require updates or patches due to software vulnerabilities.
Recommended Actions
- Establish collaboration between healthcare organizations and device manufacturers for cybersecurity management
- Develop and implement a cybersecurity vulnerability management plan
- Create a validation protocol for software patches and updates
- Document all software changes and their validation results
- Maintain communication channels with device manufacturers regarding cybersecurity updates
- Review and assess the impact of software patches before implementation
- Establish a process to verify FDA approval requirements for software changes
- Create a tracking system for implemented software patches and updates
- Train relevant staff on cybersecurity procedures and policies
- Regularly review and update cybersecurity management procedures
Key Considerations
Software
- Software patches must be validated under the Quality System regulation
- Evidence must demonstrate that changed software meets user needs and performs consistently
- Most software patches are considered design changes that can be implemented without prior FDA review
- FDA approval is required if software changes affect:
- Intended use or indications for use
- Device safety and effectiveness
Cybersecurity
- Manufacturers must address vulnerabilities in OTS software that can affect device safety and effectiveness
- Manufacturers must examine sources of quality data and implement corrective actions
- A plan for implementing software changes should be established and followed
Safety
- Changes that could make the device less safe require FDA approval
- Manufacturers must maintain device safety and effectiveness when implementing software updates
Other considerations
- Healthcare organizations should typically rely on manufacturer guidance for software maintenance
- Quality System regulation compliance is required for all software changes
Relevant Guidances
- Cybersecurity Maintenance for Medical Devices with Off-The-Shelf Software
- Off-The-Shelf Software in Medical Devices: Documentation Requirements for Premarket Submissions
- Content of Premarket Submissions for Device Software Functions
- Cybersecurity in Medical Devices: Design, Implementation, and Premarket Submissions
- Postmarket Management of Cybersecurity in Medical Devices
Related references and norms
- 21 CFR 10.115: Good Guidance Practices
Original guidance
- Cybersecurity for Networked Medical Devices with Off-The-Shelf Software
- HTML
- Issue date: 2005-02-08
- Last changed date: 2020-03-24
- Status: FINAL
- Official FDA topics: Medical Devices, Digital Health
- ReguVirta summary file ID: 0d3efb5e0bc82caed812f824df163ba3
This post is licensed under CC BY 4.0 by the author.