00100 Cybersecurity in Medical Devices- Submission Documentation

00100 Cybersecurity in Medical Devices- Submission Documentation

Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions

807. Submission Documentation
     Device cybersecurity design and documentation is expected to scale with the cybersecurity risk of that device. Manufacturers should take into account the larger system in which the device may be used. For example, a cybersecurity risk assessment performed on a simple, non-connected thermometer may conclude that the risks are limited, and therefore such a device needs only a limited security architecture (i.e., addressing only device hardware and software) and few security controls based on the technical characteristics and design of the device. However, if a thermometer is used in a safety-critical control loop, or is connected to networks or other devices, then the cybersecurity risks for the device are considered to be greater and more substantial design controls and documentation should be submitted in the premarket submission in order to demonstrate reasonable assurance of safety and effectiveness.

     and as a result, the effectiveness of cybersecurity controls may degrade as new risks, threats, and attack methods emerge. As cybersecurity is part of device safety and effectiveness, cybersecurity controls should take into consideration the intended and actual use environment (see section IV). In the 510(k) context, FDA evaluates the cybersecurity
     information submitted and the protections the cybersecurity controls provide in demonstrating substantial equivalence.18 See section 513(i) of the FD&C Act and 21 CFR 807.100(b)(2)(ii)(B).
     In addition, inadequate cybersecurity controls may cause a device to be misbranded under section 502(f) of the FD&C Act because its labeling does not bear adequate directions for use or under section 502(j) of the FD&C Act because it is dangerous to health when used in the manner recommended or suggested in the labeling, among other possible violations.

     The cybersecurity information being recommended to be included in submissions as detailed in this guidance is based on risks due to cybersecurity, not on any other criteria or level of risk/concern established in a separate FDA guidance (e.g., the software risk criteria in the Premarket Software Guidance). For example, a device that is determined to have a greater software risk may only have a small cybersecurity risk due to how the device is designed.
     Likewise, a device with a smaller software risk may have a significant cybersecurity risk information in these sections do not represent a complete SPDF. In addition, FDA does not288recommend that manufacturers discontinue existing, effective processes..