00096 Cybersecurity in Medical Devices- Background
Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions
III. Background
FDA recognizes that medical device security is a shared responsibility among stakeholders throughout the use environment of the medical device system, including health care facilities,
patients, health care providers, and manufacturers of medical devices. For the purposes of this
guidance, the term “medical device system” includes the device and systems such as health care facility networks, other devices, and software update servers to which it is connected.
Events across the healthcare sector have stressed the importance of cybersecurity to patient
safety. The WannaCry ransomware affected hospital systems and medical devices across the
globe. Vulnerabilities identified in commonly used third-party components, like URGENT/117
and SweynTooth8, have led to potential safety concerns across a broad range of devices and
clinical specialties. In 2020, a ransomware attack on a German hospital highlighted the potential impacts due to delayed patient care when a cybersecurity attack forced patients to be diverted to another hospital
The FDA issued a final cybersecurity guidance addressing premarket expectations in 2014
“Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” and
the complementary guidance “Postmarket Management of Cybersecurity in Medical Devices”
(“Postmarket Cybersecurity Guidance”)10 in 2016. However, the rapidly evolving landscape, an increased understanding of emerging threats, and the need for capable deployment of mitigations throughout the total product lifecycle (TPLC) warrants an updated, iterative approach to device cybersecurity. The changes proposed since the 2014 guidance are intended to further emphasize the importance of ensuring that devices are designed securely, are designed to be capable of mitigating emerging cybersecurity risks throughout the TPLC, and to more clearly outline FDA’ s recommendations for premarket submission information to address cybersecurity concerns.
One way these TPLC considerations for devices can be achieved is through the implementation
and adoption of a Secure Product Development Framework (SPDF). An SPDF is a set of
processes that reduce the number and severity of vulnerabilities in products throughout the
device lifecycle. Examples of such frameworks exist in many device sectors including the
medical device sector. The recommendations contained in this guidance document, when
finalized, are intended to supplement FDA’s “Postmarket Management of Cybersecurity in
Medical Devices,” “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software” and “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices.” When finalized, this guidance will replace the final guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.”13
The recommendations in this guidance also generally align with or expand upon the recommendations in the Pre-Market Considerations for Medical Device Cybersecurity
section of the International Medical Device Regulators Forum final guidance “Principles and Practices for Medical Device Cybersecurity,” issued March 2020.1
Recent Comments