Post

Cybersecurity for Networked Medical Devices with Off-The-Shelf Software

This guidance addresses cybersecurity considerations for networked medical devices that contain Off-The-Shelf (OTS) software. It specifically covers medical devices that use OTS software, can connect to networks (private intranet or public Internet), and require updates or patches due to software vulnerabilities.

  1. Establish collaboration between healthcare organizations and device manufacturers for cybersecurity management
  2. Develop and implement a cybersecurity vulnerability management plan
  3. Create a validation protocol for software patches and updates
  4. Document all software changes and their validation results
  5. Maintain communication channels with device manufacturers regarding cybersecurity updates
  6. Review and assess the impact of software patches before implementation
  7. Establish a process to verify FDA approval requirements for software changes
  8. Create a tracking system for implemented software patches and updates
  9. Train relevant staff on cybersecurity procedures and policies
  10. Regularly review and update cybersecurity management procedures

Key Considerations

Software

  • Software patches must be validated under the Quality System regulation
  • Evidence must demonstrate that changed software meets user needs and performs consistently
  • Most software patches are considered design changes that can be implemented without prior FDA review
  • FDA approval is required if software changes affect:
    • Intended use or indications for use
    • Device safety and effectiveness

Cybersecurity

  • Manufacturers must address vulnerabilities in OTS software that can affect device safety and effectiveness
  • Manufacturers must examine sources of quality data and implement corrective actions
  • A plan for implementing software changes should be established and followed

Safety

  • Changes that could make the device less safe require FDA approval
  • Manufacturers must maintain device safety and effectiveness when implementing software updates

Other considerations

  • 21 CFR 10.115: Good Guidance Practices

Original guidance

  • Cybersecurity for Networked Medical Devices with Off-The-Shelf Software
  • HTML
  • Issue date: 2005-02-08
  • Last changed date: 2020-03-24
  • Status: FINAL
  • Official FDA topics: Medical Devices, Digital Health
  • ReguVirta summary file ID: 0d3efb5e0bc82caed812f824df163ba3
This post is licensed under CC BY 4.0 by the author.