FDA Draft Guidance Details Key Cybersecurity Management Measures Expected in Medical Device Submissions

Last month, the U.S. Food and Drug Administration (FDA) issued its Draft Guidance for the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.1 Recognizing the increasing need for effective cybersecurity, given the proliferation of wireless, Internet- and network-connected medical devices, as well as the increasing electronic exchange of medical device-derived health information, the draft guidance articulates FDA expectations on cybersecurity measures all manufacturers of software-containing medical devices should consider in preparing virtually any type of medical device premarket submission.2

In general, FDA urges manufactures to develop security controls that maintain the confidentiality, integrity (i.e., accuracy and completeness) and availability (i.e., ensuring the information is accessible when needed) of information that is contained or transmitted via medical device software.

The guidance also clarifies that the FDA expects manufacturers to take a proactive approach to cybersecurity by considering it during the design phase of medical devices. The draft guidance states that manufacturers should include a cybersecurity risk analysis and management plan as part of the risk analysis required by 21 CFR 820.30(g), which is part of the design control provisions of the device Quality System Regulations (QSR).

In the cybersecurity risk analysis and management plan expected by FDA, manufacturers should define and document the following key elements:

Identification of assets, threats and vulnerabilities; Impact assessment of the threats and vulnerabilities on device functionality; Assessment of the likelihood of a threat and of a vulnerability being exploited; Determination of risk levels and suitable mitigation strategies; and Residual risk assessment and risk acceptance criteria. FDA also provided a detailed list of cybersecurity-related information manufacturers should detail in submissions, including:

Hazard analysis, mitigation strategies, and design considerations pertaining to intentional and unintentional device cybersecurity risks, such as: A list of all cybersecurity risks considered in the design of the device; and A list of, and justification for, all cybersecurity controls established for the device. A traceability matrix that links the actual implemented cybersecurity controls to the cybersecurity risks that were considered; A systematic plan for providing validated updates and patches to...