Cyber incidents are on the rise with no signs of slowing down, particularly in the healthcare industry. To combat this trend, on September 27, 2023, the U.S. Food and Drug Administration (FDA) released guidance on cybersecurity in medical devices for quality system considerations and on premarket submissions. The guidance is intended to replace the FDA’s 2014 Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.
In the introduction to the guidance, the FDA acknowledged the increase in integration of wireless, Internet-, and network-connected capabilities in portable media and the frequent exchange of medical device-related health information, which created a need for more “robust cybersecurity controls to ensure medical device safety and effectiveness . . . .”
The guidance covers relevant cybersecurity considerations that may affect device safety and effectiveness, including but not limited to software, hardware, and firmware.
The FDA guidance recommends “designing for security” stating that when it reviews premarket submissions, it will assess a device’s cybersecurity based on a number of factors. Premarket submissions should include information that describes how security objectives are addressed and integrated into the device’s design. The guidance emphasizes that cybersecurity is part of device safety and the quality system requirements found under federal regulations, which may be relevant at the premarket stage, postmarket stage, or both.
The guidance provides recommendations on:
- Testing and validating connected devices against breaches that affect multiple connected devices;
- Labeling for devices with cybersecurity risks;
- Developing cybersecurity management plans that communicate how the manufacturer will identify and communicate postmarket vulnerabilities in accordance with federal regulations; and
- Providing an updateability/patchability view that describes the end-to-end process permitting software updates and patches to be provided/deployed once the device is in the field.
The FDA will host a webinar to discuss its new guidance on November 2, 2023.
If you have questions on the FDA guidance or related issues, contact a member of our Privacy, Data, and Cybersecurity practice group to discuss.