Postmarket Management of Cybersecurity in Medical Devices
This guidance applies to marketed and distributed medical devices that contain software/firmware/programmable logic, software that is a medical device (including mobile medical applications), medical devices that are part of an interoperable system, and legacy devices already on the market. It provides recommendations for managing postmarket cybersecurity vulnerabilities and emphasizes manufacturers' responsibility to monitor, identify and address cybersecurity vulnerabilities as part of their postmarket management.
What You Need to Know? 👇
What are cybersecurity routine updates and patches for medical devices?
Cybersecurity routine updates and patches are changes to increase device security or remediate vulnerabilities with controlled risk of patient harm. These include regularly scheduled security updates, software/firmware upgrades, and changes to product labeling for cybersecurity education. They’re considered device enhancements, not repairs.
When must manufacturers report cybersecurity vulnerabilities to FDA?
Manufacturers must report under 21 CFR part 806 when vulnerabilities pose uncontrolled risk of patient harm. However, FDA won’t enforce reporting if manufacturers communicate with customers within 30 days, fix vulnerabilities within 60 days, and actively participate in an ISAO sharing medical device cybersecurity information.
How should manufacturers assess cybersecurity vulnerability risk?
Manufacturers should evaluate exploitability using scoring systems like Common Vulnerability Scoring System (CVSS) and assess severity of potential patient harm. Risk is categorized as controlled (acceptable) or uncontrolled (unacceptable) based on likelihood of exploit, impact on device safety/essential performance, and severity of potential patient harm.
What constitutes active participation in an Information Sharing Analysis Organization (ISAO)?
Active ISAO participation requires: membership in an ISAO sharing medical device vulnerabilities/threats, documented ISAO policies for participant agreements and privacy protections, sharing vulnerability information including customer communications with the ISAO, and documented processes for assessing and responding to ISAO threat intelligence.
What are compensating controls in medical device cybersecurity?
Compensating controls are safeguards deployed externally to the device design, configurable in the field by users, providing supplementary cyber protection. Examples include network configuration changes to prevent unauthorized access when a device can safely operate without network connectivity, serving as countermeasures for identified vulnerabilities.
What information should be included in PMA periodic reports for cybersecurity?
PMA periodic reports should include: vulnerability description and discovery method, risk assessment conclusions (controlled/uncontrolled), description of changes made, rationale for changes, references to related submissions/devices, event identification numbers, UDI if available, links to government advisories, customer notifications, and ISAO reporting details.
What You Need to Do 👇
Recommended Actions
- Establish comprehensive cybersecurity risk management program covering entire product lifecycle
- Implement process to:
- Monitor and identify cybersecurity vulnerabilities
- Assess exploitability and patient harm risk
- Determine if risks are controlled or uncontrolled
- Deploy appropriate remediation measures
- Join and actively participate in an ISAO for threat intelligence sharing
- Develop and implement:
- Coordinated vulnerability disclosure policy
- Process for timely customer communication
- Procedures for deploying patches and updates
- For uncontrolled risks:
- Notify customers within 30 days
- Deploy remediation within 60 days
- Report to FDA if required
- Document all cybersecurity risk management activities and maintain records
- Include cybersecurity information in periodic reports for PMA devices
- Validate all software changes and patches before deployment
- Provide users with information about cybersecurity risks and controls
- Maintain ongoing assessment of cybersecurity threats and vulnerabilities throughout device lifecycle
Key Considerations
Non-clinical testing
- Validate software changes under 21 CFR 820.30(g) to ensure remediation effectively mitigates vulnerabilities without creating new risks
- Conduct cybersecurity risk analyses and threat modeling for each device and update over time
- Assess impact of vulnerabilities across product portfolio (horizontal) and within device components (vertical)
Software
- Implement comprehensive cybersecurity risk management programs throughout product lifecycle
- Monitor and identify cybersecurity vulnerabilities and risks
- Maintain robust software lifecycle processes including monitoring third-party components
- Deploy mitigations prior to exploitation
- Validate patches and updates before deployment
Cybersecurity
- Establish process for assessing exploitability of vulnerabilities and severity of patient harm
- Implement defense-in-depth strategy with device-based features and compensating controls
- Adopt coordinated vulnerability disclosure policy
- Actively participate in an Information Sharing and Analysis Organization (ISAO)
- Communicate with customers about vulnerabilities and remediation within specified timeframes
- Address uncontrolled risks within 60 days of discovery
Labelling
- Provide users with information on recommended controls and residual cybersecurity risks
- Include cybersecurity information in customer communications about vulnerabilities
Safety
- Define safety and essential performance criteria for devices
- Assess patient harm risk if cybersecurity is compromised
- Implement risk control measures to maintain safety and essential performance
- Document risk assessment and remediation methods
Other considerations
- Report certain cybersecurity remediation actions to FDA under 21 CFR part 806
- Include cybersecurity updates in periodic reports for PMA devices
- Maintain documentation of risk management activities
- Consider participating in an ISAO for threat intelligence sharing
Relevant Guidances 🔗
- Content of Premarket Submissions for Device Software Functions
- Cybersecurity in Medical Devices: Design, Implementation, and Premarket Submissions
- Off-The-Shelf Software in Medical Devices: Documentation Requirements for Premarket Submissions
- Software Validation for Medical Device Production, Quality Systems, and Device Components
- Design Considerations and Recommendations for Interoperable Medical Devices
- Policy for Device Software Functions and Mobile Medical Applications
Related references and norms 📂
- ANSI/AAMI/ISO 14971:2007/(R)2010: Medical Devices – Application of Risk Management to Medical Devices
- ANSI/AAMI ES60601-1:2005/(R)2012: Medical electrical equipment — Part 1: General requirements for basic safety and essential performance
- ISO/IEC 29147:2014: Information Technology – Security Techniques – Vulnerability Disclosure
- ISO/IEC 30111:2013: Information Technology – Security Techniques – Vulnerability Handling Processes
Original guidance
- Postmarket Management of Cybersecurity in Medical Devices
- HTML / PDF
- Issue date: 2016-12-28
- Last changed date: 2019-03-07
- Status: FINAL
- Official FDA topics: Medical Devices, Errors, Digital Health, Postmarket, and Problems, Premarket Approval (PMA), 510(k), Premarket, Labeling, Safety - Issues
- ReguVirta ID: 9aba249d171bf76cc91b56f3458f0883