00101 Cybersecurity in Medical Devices- SPDF

00101 Cybersecurity in Medical Devices- SPDF

Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions

  1. Using an SPDF to Manage Cybersecurity Risks
    The documentation recommended in this guidance is based on FDA’s experience evaluating the safety and effectiveness of devices with cybersecurity vulnerabilities. However, sponsors may use alternative approaches and provide different documentation so long as their approach and documentation satisfies premarket submission requirements in applicable statutory provisions and regulations. The increasingly interconnected nature of medical devices has demonstrated the importance of addressing cybersecurity risks associated with device connectivity in device design because of the effects on safety and effectiveness.19 Cybersecurity risks that are introduced by threats directly to the medical device or to the larger medical device system can be reasonably controlled through using an SPDF.

The primary goal of using an SPDF is to manufacture and maintain safe and effective devices.
From a security context, these are also trustworthy and resilient devices. These devices can then be managed (e.g., installed, configured, updated, review of device logs) through the device design and associated labeling by the device manufacturers and/or users (e.g., patients, health care facilities). For health care facilities, these devices may also be managed within their own cybersecurity risk management frameworks, such as the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity, generally referred to as the NIST Cybersecurity Framework or NIST CSF.
FDA recommends that manufacturers use device design processes such as those described in the QSR to support secure product development and maintenance. Other frameworks that satisfy the QSR and align with FDA’s recommendations for using an SPDF already exist and may be used, such as the medical device-specific framework that can be found in the Medical Device and Health IT Joint Security Plan (JSP).20 Frameworks from other sectors may also comply with the QSR, like the framework provided in ANSI/ISA 62443-4-1: 2018 Security for industrial automation and control systems Part 4-1: Product security development life-cycle requirements.21

The following subsections provide recommendations for using SPDF processes which FDA believes provide important considerations for the development of devices that are safe and effective, how these processes can complement the QSR, and the documentation FDA
recommends manufacturers provide for review as part of premarket submissions. The information in these sections do not represent a complete SPDF. In addition, FDA does not recommend that manufacturers discontinue existing, effective processes.