In September 2023, the FDA finalized its medical device cybersecurity guidance for premarket submissions. The updated document, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submission,” details the information that must be submitted to the Center for Devices and Radiological Health (CDRH) or the Center for Biologics Evaluation and Research (CBER) for the premarket evaluation of products that involve cybersecurity risks. The guidance is applicable to any device or piece of software that can connect to the internet and is susceptible to cybersecurity threats, including but not limited to devices containing software or programmable logic.
Designed to keep patients safe and improve public health protection, the FDA cybersecurity requirements document includes pre-market guidance, as well as guidance related to monitoring, identifying, and addressing cybersecurity vulnerabilities in medical devices once they are on the market.
Specifically, the updated FDA cybersecurity guidance addresses the following submission types:
- 510(k) premarket notifications
- De Novo requests
- Premarket Approval (PMA) applications or PMA supplements
- Product Development Protocols (PDP)
- Investigational Device Exemptions (IDE)
- Humanitarian Device Exemptions (HDE)
- Biologics License Applications (BLA)
- Investigational New Drug submissions (IND)
In the updated cybersecurity requirements, the FDA included recommendations related to comprehensive medical device cybersecurity risk management, continuous improvement throughout the total product life cycle, and incentivize changing marketed and distributed medical devices to reduce risk.
The FDA continues to make efforts to safeguard the safety and efficacy of medical devices at all points in their lifecycle in the face of possible cyber risks by collaborating with business and other federal government entities.
Cybersecurity is more important than ever in the medical device industry. As the FDA continues to make efforts to safeguard the safety and efficacy of medical devices to combat the growing attack surface, it is imperative that you maintain compliance across all points in your products’ lifecycle.
Here are some best practices to guide this process:
- Assess the impact [impact of what?] on the device’s functionality, the impact to the patients, the likelihood of the threat, and the device’s vulnerability to a breach
- Determine the risk levels, and understand different mitigation strategies for medical device cybersecurity risks
- Establish a medical device cybersecurity management approach that identifies assets and threats and examines corner cases.
- Identify and eliminate any elements that could threaten the medical device’s cybersecurity, create vulnerabilities, or present other potential risks associated with each individual medical device
Though the above can seem daunting and overwhelming, it doesn’t have to be. With advanced expertise across the regulatory landscape, Sterling can help you complete the necessary steps to ensure your device meets all FDA cybersecurity requirements—all while keeping the design and development process moving forward without disruption.For more information about how to complete a medical device cybersecurity risk assessment, details about the FDA premarket submission cybersecurity guidelines, help ensuring your FDA premarket submission meets cybersecurity requirements, or guidance on how to protect your device from cyber threats, contact us here.