Post

Cybersecurity in Medical Devices: Design, Implementation, and Premarket Submissions

This guidance is applicable to devices with cybersecurity considerations, including but not limited to devices that have device software functions or contain software (including firmware) or programmable logic. The guidance applies to all types of medical devices whether or not they require a premarket submission. It provides recommendations regarding cybersecurity information to be submitted for various types of premarket submissions to FDA's CDRH and CBER centers.

  1. Implement a Secure Product Development Framework (SPDF) that includes security risk management processes
  2. Perform threat modeling and cybersecurity risk assessment during device design
  3. Develop security architecture with appropriate controls and document through architecture views
  4. Generate and maintain Software Bill of Materials (SBOM)
  5. Establish testing processes to verify security controls effectiveness
  6. Create cybersecurity labeling that provides relevant security information to users
  7. Develop cybersecurity management plans for ongoing vulnerability monitoring and updates
  8. Establish coordinated vulnerability disclosure process
  9. Include recommended cybersecurity documentation in premarket submissions
  10. Enable secure device updates and provide update processes to users
  11. Implement security controls that scale with device cybersecurity risk
  12. Consider cybersecurity throughout the total product lifecycle

Key Considerations

Non-clinical testing

  • Implement cybersecurity testing including:
    • Security requirements testing
    • Threat mitigation testing
    • Vulnerability testing
    • Penetration testing
  • Testing should be performed throughout product lifecycle
  • Testing documentation and reports should be submitted in premarket submissions

Software

  • Implement secure product development framework (SPDF)
  • Establish security risk management processes
  • Provide software bill of materials (SBOM)
  • Enable secure software/firmware updates
  • Implement security controls for:
    • Authentication
    • Authorization
    • Cryptography
    • Code/data integrity
    • Event logging
    • Recovery capabilities

Cybersecurity

  • Perform threat modeling and risk assessment
  • Implement security architecture with appropriate controls
  • Enable device monitoring and incident response
  • Provide security documentation and architecture views
  • Establish vulnerability management processes
  • Enable secure configuration management
  • Support device updatability and patchability

Labeling

  • Include cybersecurity information in device labeling:
    • Security control recommendations
    • Network requirements
    • Security implementation guidance
    • Software/firmware update procedures
    • Security event handling
    • Device configuration guidance
    • End of support information
    • Decommissioning procedures

Safety

  • Ensure cybersecurity controls do not impact device safety
  • Assess security risks that could impact safety
  • Implement controls to maintain safety during security events
  • Enable secure safety-critical functionality

Other considerations

  • ANSI/UL 2900: Software Cybersecurity for Network-Connectable Products
  • ANSI/ISA 62443-4-1: Security for industrial automation and control systems Part 4-1: Product security development life-cycle requirements
  • IEC 81001-5-1: Health software and health IT systems safety, effectiveness and security
  • ISO/IEC 27032: Information technology - Security techniques - Guidelines for cybersecurity
  • AAMI TIR57: Principles for medical device security - Risk management
  • IEC TR 80001-2-2: Application of risk management for IT-networks incorporating medical devices
  • NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations

Original guidance

  • Cybersecurity in Medical Devices: Design, Implementation, and Premarket Submissions
  • HTML / PDF
  • Issue date: 2023-09-27
  • Last changed date: 2024-09-26
  • Status: FINAL
  • Official FDA topics: Medical Devices, Digital Health, Premarket
  • ReguVirta summary file ID: 9c25630505c41283eb2a99261289f883
This post is licensed under CC BY 4.0 by the author.