00099 Cybersecurity in Medical Devices- Transparency

00099 Cybersecurity in Medical Devices- Transparency

Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions

1. Transparency

A lack of cybersecurity information, such as information necessary to integrate the device into the use environment, as well as information needed by users to maintain the device’s cybersecurity over the device lifecycle, has the potential to affect the safety and effectiveness of a device. In order to address these concerns, it is important for device users to have access to information pertaining to the device’s cybersecurity controls, potential risks, and other relevant information. For example:
· insufficient information pertaining to whether a device has undisclosed cybersecurity
vulnerabilities or risks may be relevant to determining whether a device’s safety or effectiveness could be degraded;
· user manuals that do not include sufficient information to explain how to securely configure or update the device may limit the ability of end users to appropriately manage and protect the device; and/or
· a failure to disclose all of the communication interfaces or third-party software could fail to convey potential sources of risks.

This information and other relevant information is important in helping understand a device’s cybersecurity, the threats that it may be exposed to, and how those threats may be prevented or
mitigated. Without it, cybersecurity risks could be undisclosed, inappropriately identified, or inappropriately responded to, among other potential impacts, which could lead to compromises
in device safety and effectiveness.

FDA believes that the cybersecurity information discussed in this guidance is important for the safe and effective use of interconnected devices and should be included in device labeling, as discussed below in Section VI.