00110 Cybersecurity in Medical Devices- TPLC Risk Management

00110 Cybersecurity in Medical Devices- TPLC Risk Management

Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions

  1. TPLC Security Risk Management532
    533
    Cybersecurity risks may continue to be identified throughout the device’s TPLC. Manufacturers534
    should ensure they have appropriate resources to identify, assess, and mitigate cybersecurity535
    vulnerabilities as they are identified throughout the supported device lifecycle.536
    537
    As part of using an SPDF, manufacturers should update their security risk management report as538
    new information becomes available, such as when new threats, vulnerabilities, assets, or adverse539
    impacts are discovered during development and after the device is released. When maintained540
    throughout the device lifecycle, this documentation (e.g., threat modeling) can be used to quickly541
    identify vulnerability impacts once a device is released and to support timely Corrective and542
    Preventive Action (CAPA) activities described in 21 CFR 820.100.543
    544
    Over the service life of a device, FDA recommends that the risk management documentation545
    account for any differences in the risk management for fielded devices (e.g., marketed devices or546
    devices no longer marketed but still in use). For example, if an update is not applied547
    automatically for all fielded devices, then there will likely be different risk profiles for differing548
    software configurations of the device. FDA recommends that vulnerabilities be assessed for any549
    differing impacts for all fielded versions to ensure patient risks are being accurately assessed.550
    Additional information as to whether a new premarket submission (e.g., PMA, PMA supplement,551
    or 510(k)) or 21 CFR Part 806 reporting is needed based on postmarket vulnerabilities and552
    general postmarket cybersecurity risk management are discussed in the Postmarket553
    Cybersecurity Guidance.38

To demonstrate the effectiveness of a manufacturer’s processes, FDA recommends that a556
manufacturer track and record the measures and metrics below39, and report them in premarket557
submissions and PMA annual reports (21 CFR 814.84), when available.40 Selecting appropriate558
measures and metrics for the processes that define an SPDF is important to ensure that device559
design appropriately addresses cybersecurity in compliance with QSR. At a minimum, FDA560
recommends tracking the following measures and metrics:561
562
· Percentage of identified vulnerabilities that are updated or patched (defect density).563
· Time from vulnerability identification to when it is updated or patched.564
· Time from when an update or patch is available to complete implementation in devices565
deployed in the field.566
Averages of the above measures should be provided if multiple vulnerabilities are identified and567
addressed. These averages may be provided over multiple time frames based on volume or in568
response to process or procedure changes to increase efficiencies of these measures over time.