On October 18, 2018, FDA issued draft Guidance on Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.  Due to the frequency and severity of cybersecurity threats to the healthcare sector, the draft Guidance provides recommendations to consider and information to include in FDA medical device premarket submissions for effective cybersecurity management. 

The Guidance outlines recommendations to manufacturers regarding cybersecurity device design, labeling, and documentation in premarket submissions for medical devices with cybersecurity risks.  The recommendations are intended to facilitate an efficient premarket review process and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats.

Manufacturers are encouraged to design trustworthy devices to manage cybersecurity-related risks consistent with the National Institute of Standards and Technology (NIST) Cybersecurity Framework core functions of identify, protect, detect, respond, and recover.  A trustworthy design should incorporate the recommended cybersecurity design controls, which include:

  • Preventing all unauthorized use;
  • Ensuring code, data, and execution integrity;
  • Protecting confidentiality of data;
  • Detecting and responding to dynamic cybersecurity risks; and
  • Recovering capabilities and services in the event of a cybersecurity incident.

The Guidance sets forth labeling recommendations to inform end-users of relevant security information for devices with cybersecurity risks as an effective way to manage cybersecurity risks and ensure a device remains safe and effective throughout its life-cycle.

The Guidance defines two tiers of medical devices according to their cybersecurity risk.  A Tier 1 device with higher cybersecurity risk is one that (1) is capable of connecting (e.g., wired, wirelessly) to another medical or non-medical product, or to a network, or to the Internet, and (2) a cybersecurity incident affecting the device could directly result in patient harm to multiple patients.  A Tier 2 device with standard cybersecurity risk is one for which the Tier 1 device criteria are not met.  The Guidance emphasizes the need for Tier 1 devices to include design feature documentation in the premarket submission that demonstrates how the device design and risk assessment incorporate the recommended cybersecurity design controls.  For Tier 2 devices, manufacturers need only provide a risk-based rationale for why specific recommended cybersecurity design controls are not appropriate.

In addition to the design feature documentation, the Guidance recommends and outlines risk management documentation for premarket submissions, assessing threat models, clinical hazards, mitigation activities, and testing.

Readers are encouraged to read the draft Guidance, also available on FDA's website.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.