Cybersecurity in Medical Devices: Design, Implementation, and Premarket Submissions
This guidance is applicable to devices with cybersecurity considerations, including but not limited to devices that have device software functions or contain software (including firmware) or programmable logic. The guidance applies to all types of medical devices whether or not they require a premarket submission. It provides recommendations regarding cybersecurity information to be submitted for various types of premarket submissions to FDA's CDRH and CBER centers.
Recommended Actions
- Implement a Secure Product Development Framework (SPDF) that includes security risk management processes
- Perform threat modeling and cybersecurity risk assessment during device design
- Develop security architecture with appropriate controls and document through architecture views
- Generate and maintain Software Bill of Materials (SBOM)
- Establish testing processes to verify security controls effectiveness
- Create cybersecurity labeling that provides relevant security information to users
- Develop cybersecurity management plans for ongoing vulnerability monitoring and updates
- Establish coordinated vulnerability disclosure process
- Include recommended cybersecurity documentation in premarket submissions
- Enable secure device updates and provide update processes to users
- Implement security controls that scale with device cybersecurity risk
- Consider cybersecurity throughout the total product lifecycle
Key Considerations
Non-clinical testing
- Implement cybersecurity testing including:
- Security requirements testing
- Threat mitigation testing
- Vulnerability testing
- Penetration testing
- Testing should be performed throughout product lifecycle
- Testing documentation and reports should be submitted in premarket submissions
Software
- Implement secure product development framework (SPDF)
- Establish security risk management processes
- Provide software bill of materials (SBOM)
- Enable secure software/firmware updates
- Implement security controls for:
- Authentication
- Authorization
- Cryptography
- Code/data integrity
- Event logging
- Recovery capabilities
Cybersecurity
- Perform threat modeling and risk assessment
- Implement security architecture with appropriate controls
- Enable device monitoring and incident response
- Provide security documentation and architecture views
- Establish vulnerability management processes
- Enable secure configuration management
- Support device updatability and patchability
Labeling
- Include cybersecurity information in device labeling:
- Security control recommendations
- Network requirements
- Security implementation guidance
- Software/firmware update procedures
- Security event handling
- Device configuration guidance
- End of support information
- Decommissioning procedures
Safety
- Ensure cybersecurity controls do not impact device safety
- Assess security risks that could impact safety
- Implement controls to maintain safety during security events
- Enable secure safety-critical functionality
Other considerations
- Establish coordinated vulnerability disclosure process
- Provide cybersecurity management plans
- Consider supply chain security
- Enable secure interoperability
- Support forensic evidence capture
Relevant Guidances
- Content of Premarket Submissions for Device Software Functions
- Off-The-Shelf Software in Medical Devices: Documentation Requirements for Premarket Submissions
- Software Validation for Medical Device Production, Quality Systems, and Device Components
- Policy for Device Software Functions and Mobile Medical Applications
- Design Considerations and Recommendations for Interoperable Medical Devices
- Cybersecurity for Networked Medical Devices with Off-The-Shelf Software
- Cybersecurity Maintenance for Medical Devices with Off-The-Shelf Software
Related references and norms
- ANSI/UL 2900: Software Cybersecurity for Network-Connectable Products
- ANSI/ISA 62443-4-1: Security for industrial automation and control systems Part 4-1: Product security development life-cycle requirements
- IEC 81001-5-1: Health software and health IT systems safety, effectiveness and security
- ISO/IEC 27032: Information technology - Security techniques - Guidelines for cybersecurity
- AAMI TIR57: Principles for medical device security - Risk management
- IEC TR 80001-2-2: Application of risk management for IT-networks incorporating medical devices
- NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
Original guidance
This post is licensed under CC BY 4.0 by the author.