Postmarket Management of Cybersecurity in Medical Devices
This guidance applies to marketed and distributed medical devices that contain software/firmware/programmable logic, software that is a medical device (including mobile medical applications), medical devices that are part of an interoperable system, and legacy devices already on the market. It provides recommendations for managing postmarket cybersecurity vulnerabilities and emphasizes manufacturers' responsibility to monitor, identify and address cybersecurity vulnerabilities as part of their postmarket management.
Recommended Actions
- Establish comprehensive cybersecurity risk management program covering entire product lifecycle
- Implement process to:
- Monitor and identify cybersecurity vulnerabilities
- Assess exploitability and patient harm risk
- Determine if risks are controlled or uncontrolled
- Deploy appropriate remediation measures
- Join and actively participate in an ISAO for threat intelligence sharing
- Develop and implement:
- Coordinated vulnerability disclosure policy
- Process for timely customer communication
- Procedures for deploying patches and updates
- For uncontrolled risks:
- Notify customers within 30 days
- Deploy remediation within 60 days
- Report to FDA if required
- Document all cybersecurity risk management activities and maintain records
- Include cybersecurity information in periodic reports for PMA devices
- Validate all software changes and patches before deployment
- Provide users with information about cybersecurity risks and controls
- Maintain ongoing assessment of cybersecurity threats and vulnerabilities throughout device lifecycle
Key Considerations
Non-clinical testing
- Validate software changes under 21 CFR 820.30(g) to ensure remediation effectively mitigates vulnerabilities without creating new risks
- Conduct cybersecurity risk analyses and threat modeling for each device and update over time
- Assess impact of vulnerabilities across product portfolio (horizontal) and within device components (vertical)
Software
- Implement comprehensive cybersecurity risk management programs throughout product lifecycle
- Monitor and identify cybersecurity vulnerabilities and risks
- Maintain robust software lifecycle processes including monitoring third-party components
- Deploy mitigations prior to exploitation
- Validate patches and updates before deployment
Cybersecurity
- Establish process for assessing exploitability of vulnerabilities and severity of patient harm
- Implement defense-in-depth strategy with device-based features and compensating controls
- Adopt coordinated vulnerability disclosure policy
- Actively participate in an Information Sharing and Analysis Organization (ISAO)
- Communicate with customers about vulnerabilities and remediation within specified timeframes
- Address uncontrolled risks within 60 days of discovery
Labelling
- Provide users with information on recommended controls and residual cybersecurity risks
- Include cybersecurity information in customer communications about vulnerabilities
Safety
- Define safety and essential performance criteria for devices
- Assess patient harm risk if cybersecurity is compromised
- Implement risk control measures to maintain safety and essential performance
- Document risk assessment and remediation methods
Other considerations
- Report certain cybersecurity remediation actions to FDA under 21 CFR part 806
- Include cybersecurity updates in periodic reports for PMA devices
- Maintain documentation of risk management activities
- Consider participating in an ISAO for threat intelligence sharing
Relevant Guidances
- Content of Premarket Submissions for Device Software Functions
- Cybersecurity in Medical Devices: Design, Implementation, and Premarket Submissions
- Off-The-Shelf Software in Medical Devices: Documentation Requirements for Premarket Submissions
- Software Validation for Medical Device Production, Quality Systems, and Device Components
- Design Considerations and Recommendations for Interoperable Medical Devices
- Policy for Device Software Functions and Mobile Medical Applications
Related references and norms
- ANSI/AAMI/ISO 14971:2007/(R)2010: Medical Devices – Application of Risk Management to Medical Devices
- ANSI/AAMI ES60601-1:2005/(R)2012: Medical electrical equipment — Part 1: General requirements for basic safety and essential performance
- ISO/IEC 29147:2014: Information Technology – Security Techniques – Vulnerability Disclosure
- ISO/IEC 30111:2013: Information Technology – Security Techniques – Vulnerability Handling Processes
Original guidance
- Postmarket Management of Cybersecurity in Medical Devices
- HTML / PDF
- Issue date: 2016-12-28
- Last changed date: 2019-03-07
- Status: FINAL
- Official FDA topics: Medical Devices, Errors, Digital Health, Postmarket, and Problems, Premarket Approval (PMA), 510(k), Premarket, Labeling, Safety - Issues
- ReguVirta summary file ID: 9aba249d171bf76cc91b56f3458f0883
This post is licensed under CC BY 4.0 by the author.