The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of healthcare products, has published a guidance document dedicated to cybersecurity aspects related to medical devices containing off-the-shelf (OTS) Software.

Due to the legal nature of the guidance, it does not introduce new requirements parties involved shall follow but provides additional recommendations to be considered. Moreover, an alternative approach could be applied, provided such an approach complies with the applicable regulatory requirements and has been approved by the authority in advance. The current version of the document was issued by the regulating authority in January 2005. The responsible center is the Center for Devices and Radiological Health (CDRH).

Regulatory Background 

The Agency acknowledges that the increasing use of medical devices connected to various networks makes aspects related to cybersecurity especially important. The risks associated thereto could result in additional hazards in terms of the effectiveness of operations and the safety of patients in general. Such risk should be mitigated at all stages of the product lifecycle, from initial design and development to postmarket surveillance and further improvement. The present document describes how applicable regulatory requirements should be interpreted by the parties involved in operations with medical devices connected to networks. In particular, the guidance addresses aspects related to the Quality System (QS) Regulation. 

The regulatory approach described in the present FDA guidance is deemed to be the least burdensome in order to create favorable conditions and simplify and facilitate the process of placing new medical devices on the market while ensuring their safety and effectiveness. However, as mentioned, an alternative approach is acceptable. An applicant interested in an alternative approach deemed to be less burdensome may contact the regulating authority before applying it to get necessary clarifications and advice. 

The scope of the guidance covers the cybersecurity aspects associated with medical devices incorporating off-the-shelf software. The information is provided in the form of questions and answers and covers the most important matters. The list of questions is based on actual questions frequently received by the regulating authority from industry representatives and other parties involved. The document is intended to provide medical device manufacturers incorporating off-the-shelf software in their products with additional recommendations to be considered in order to achieve and sustain compliance with the applicable regulatory requirements. The approach described in the document is based on provisions of the regulation 21 CFR Part 820, as well as other guidance documents issued by the FDA previously. In particular, the Agency refers to the guidance document describing the scope of information to be included in premarket submissions with regard to the software contained in medical devices.

FDA Recommendations in Detail 

As mentioned, the present FDA guidance addresses the most common questions related to cybersecurity matters in the context of network-connected medical devices incorporating OTS software. The scope of the document covers any and all devices of this type that are connected to a local or public network. The recommendations provided therein should be, first of all, considered by the medical device manufacturers. However, they could also be taken into consideration by the staff of healthcare institutions. 

According to the document, a cybersecurity vulnerability exists whenever the OTS software provides the opportunity for unauthorized access to the network or the medical device. This could impact the safety and performance of the product. It is stated that in the case of OTS software, it becomes vitally important to issue new software patches fixing new vulnerabilities identified. 

The Agency emphasizes that even if OTS software is provided by a third party, the medical device manufacturer using it in its product remains solely responsible for the safety and performance of a medical device in general, while OTS software should be treated as a part of the device. End Users may contact medical device manufacturers seeking advice or clarification, especially if they have some concerns or are going to make any changes to the medical device or any component thereof. 

The document also provides an overview of the applicable regulations, together with a brief description of the main provisions and requirements set forth therein. According to the guidance, the main regulations to be applied in the context of cybersecurity aspects for networked medical devices incorporating OTS software are:

  • 21 CFR 820.100 requiring to systematically analyze sources of information and implement actions needed to correct and prevent problems,
  • 21 CFR 820.30(g) prescribing that design validation requires that devices conform to defined user needs and intended uses, including an obligation to perform software validation and risk analysis, where appropriate,
  • 21 CFR 820.30(i) requiring the mandatory validation of software changes in order to address cybersecurity vulnerabilities. 

Additional Considerations 

Apart from the general principles described above, the present guidance also provides clarifications regarding certain specific aspects related to the regulatory requirements for medical devices containing OTS software. 

For instance, the authority states that in most cases, the FDA premarket review regarding software patches is not required. According to 21 CFR 807.81(a)(3), FDA review is necessary when a change or modification could significantly affect the safety or effectiveness of the medical device. The document also clarifies how this approach should be applied depending on the framework utilized to place the medical device in question on the market. 

  1. In the case of medical devices placed on the market under the 510(k) program, the medical device manufacturer shall follow the recommendations provided in the appropriate guidance document “Deciding When to Submit a 510(k) for a Change to an Existing Device[3] ”. According to the aforementioned guidance, a new 510(k) submission will be required if the medical device has a new or changed indication for use (e.g., the diseases or conditions the medical device is intended to treat); or the proposed change (e.g., modification in design, energy source, chemical composition, or material) could significantly affect the safety or effectiveness of the medical device). The Agency mentions that it is unlikely that a software patch will need a new submission. In most cases, it will be sufficient to duly document the changes made. 
  2. In the case of medical devices placed on the market under the Premarket Approval Application (PMA) framework, a PMA supplement should be submitted if the patch impacts the approved indications for use or could potentially impact the safety and performance of the medical device. In other cases, it would be sufficient to include information about the patch in the annual report. 

In summary, the present FDA guidance covers the most important aspects related to the regulatory status of medical devices incorporating OTS software and regulatory requirements applicable thereto. The document addresses specific aspects related to change notification and obligations of the medical device manufacturer as a responsible party. 


How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple. ​