Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions

Just in time for the Oct. 1st effectiveness of FDA’s Cybersecurity RTA (refuse to accept) policy, the agency released its final guidance for Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (Sept. 27, 2023). This highly anticipated document replaces the 2014 Premarket Guidance, providing significantly more detail and specificity. It details requirements for manufacturers to demonstrate “reasonable assurance that the devices are safe and effective for their intended use”. Building on a risk-based approach to “Designing for Security”, FDA expects manufacturers to mitigate security risks throughout the Total Product Lifecycle (TPLC), i.e. pre- and postmarket, which can be achieved through the adoption of a Secure Product Development Framework (SPDF).

Although the Cybersecurity Guidance is aimed at device manufacturers, a significant portion of it deals with the interaction between the manufacturer and the buyer/operator. Specifically, healthcare providers should understand the following aspects of the Guidance as it will be beneficial in their interaction with suppliers/ vendors –

• Applicability: The Guidance applies to all “cyber devices”, a definition that includes the “ability to connect”, i.e., a definition that goes beyond the intent to be connected.
• Scope: Manufacturers are expected to take a total system approach to security, i.e., include in their cybersecurity considerations not just the device itself but also its production, distribution, and maintenance environment as well as its target integration environment.
• Transparency: Manufacturers are expected to provide cybersecurity documentation (see section VI.A of the Guidance for a complete list), including: cybersecurity instructions and diagrams; infrastructure and integration requirements; maintenance and a Software Bill of Materials (SBOM).
• Incident Response: Description of features such as security event detection and logging, forensic data capture, fails safe mode, as well as backup and restore.
• Maintenance: Instruction pertaining to security maintenance and lifecycle management, including instructions for secure updates, information about the level of support provided and software end-of-support dates, as well as information about secure decommissioning.

In summary, the Guidance reflects FDA’s current thinking on the “identification of security risks, the design requirements for how the risks will be controlled, and the evidence that the controls function as designed and are effective in their environment of use for ensuring adequate security”. For more detail on the agency’s cybersecurity initiatives, including background and educational materials for manufacturers as well as hospitals, see the FDA’s Cybersecurity page.