00097 Cybersecurity in Medical Devices- Design Control

 

00097 Cybersecurity in Medical Devices- Design Control

Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions

  1. General Principles
    This section provides general principles for device cybersecurity relevant to device manufacturers. These principles, found throughout this guidance document, are important to the improvement of device cybersecurity and, when followed, are expected to have a positive impact on patient safety.
  2. Cybersecurity is Part of Device Safety and the Quality System Regulations
    Device manufacturers must establish and follow quality systems to help ensure that their products consistently meet applicable requirements and specifications. These quality systems requirements are found in Quality System Regulation (QSR) in 21 CFR Part 820. Depending on the device, QS requirements may be relevant at the premarket stage, postmarket stage, or both.

In the premarket context, in order to demonstrate a reasonable assurance of safety and effectiveness for certain devices with cybersecurity risks, documentation outputs related to the requirements of the QSR may be one source of documentation to include as part of the premarket submission See also “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices” (available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-content-premarket-submissions-software-contained-medical-devices ), hereafter “Premarket Software Guidance.” For example, 21 CFR 820.30(a) requires that for all classes of devices automated with software, a manufacturer must establish and maintain procedures to control the design of the device in order to ensure that specified design requirements are met (“QSR design controls”). As part of QSR design controls, a manufacturer must “establish and maintain procedures for validating the devices design,” which “shall include software validation and risk analysis, where appropriate.” 21 CFR 820.30(g). As part of the software validation and risk analysis required by 21 CFR 820.30(g), software device
manufacturers may need to establish cybersecurity risk management and validation processes,
where appropriate.
Software validation and risk analyses are key elements of cybersecurity analyses and demonstrating whether a connected device has a reasonable assurance of safety and effectiveness. FDA requires manufacturers to implement development processes that account for and address cybersecurity risks as part of design controls (21 CFR 820.30). For example, these processes should address the identification of security risks, the design requirements for how the risks will be controlled, and the evidence that the controls function as designed and are effective in their environment of use for ensuring adequate security

A Secure Product Development Framework (SPDF) may be one way to satisfy QSR requirements
Cybersecurity threats have the potential to exploit one or more vulnerabilities that could lead to patient harm. The greater the number of vulnerabilities that exist and/or are identified over time in a system in which a device operates, the easier a threat can compromise the safety and effectiveness of the medical device. A Secure Product Development Framework (SPDF) is a set of processes that help reduce the number and severity of vulnerabilities in products.

An SPDF encompasses all aspects of a product’s lifecycle, including development, release,
support, and decommission. Additionally, using SPDF processes during device design may prevent the need to re-engineer the device when connectivity-based features are added after marketing and distribution, or when vulnerabilities resulting in uncontrolled risks are discovered. An SPDF can be integrated with existing processes for product and software development, risk management, and the quality system at large.
Using an SPDF is one approach to help ensure that QSR requirements are met. Because of its benefits in helping comply with QSRs and cybersecurity, FDA encourages manufacturers to use an SPDF, but other approaches might also satisfy QSR requirements.