The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of healthcare products, has published a guidance document dedicated to the content of premarket submissions for management of cybersecurity in medical devices.
The latest version of the document was issued in October 2014. Due to its legal nature, the FDA guidance does not introduce any requirements itself but provides additional clarifications and recommendations to be considered by the parties involved. Additionally, the Agency states that an alternative approach could be applied, provided such an approach complies with the respective regulatory requirements and has been approved by the authority in advance. The FDA also reserves the right to make changes to the recommendations provided therein if deemed reasonably necessary to reflect amendments to the applicable legislation.
The Agency acknowledges the increasing importance of cybersecurity matters related to medical devices placed on the US market. Nowadays, more and more medical devices require connection to local and/or global networks in order to ensure their normal operations. Numerous medical devices are also involved in exchanges with patient-related information which is sensitive in its nature. Thus, it is important to ensure the use of such devices does not result in unjustified risks for patients. In order to assist medical device manufacturers and other parties in identifying potential risks associated with cybersecurity issues, the FDA has issued the present guidance highlighting the most important aspects to be taken into consideration at all stages of the product lifecycle from the development to post-market maintenance. The document also provides additional clarifications regarding the regulatory requirements for the information to be provided by the medical device manufacturers when applying for marketing approval of their products.
The scope of the present FDA guidance covers the information to be included in premarket submissions in terms of cybersecurity-related matters. According to the document, effective cybersecurity management is intended to reduce the risk to patients by decreasing the likelihood that device functionality is intentionally or unintentionally compromised by inadequate cybersecurity.
The recommendations provided in the guidance could be applied for such types of premarket submissions as:
- Premarket Notification (510(k)) including Traditional, Special, and Abbreviated;
- De novo submissions;
- Premarket Approval Applications (PMA);
- Product Development Protocols (PDP);
- Humanitarian Device Exemption (HDE) submissions.
First, the FDA provides the definitions of the most important terms and concepts used in the context of cybersecurity-related matters, including the following:
- Authentication – the act of verifying the identity of a user, process, or device as a prerequisite to allowing access to the device, its data, information, or systems.
- Cybersecurity – the process of preventing unauthorized access, modification, misuse, or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.
- Encryption – the cryptographic transformation of data into a form that conceals the data’s original meaning to prevent it from being known or used.
The guidance further describes the general principles upon which the current regulatory approach is based. According to the document, the medical device manufacturer should be responsible for the measures and controls necessary to ensure the medical device meets the applicable regulatory requirements in terms of cybersecurity and operates in a safe and efficient manner.
However, the authority acknowledges that cybersecurity for medical devices, in general, should be a shared responsibility of all the parties involved. Potential cybersecurity issues could impact the normal operations of a medical device and result in loss of data or even harm caused to the patient`s health.
Due to the importance of cybersecurity matters, they should be taken into consideration by the medical device manufacturers from the very beginning – starting from the initial development stage, as this will mitigate such risk most efficiently. In particular, the Agency states that the manufacturers should establish design inputs for their device related to cybersecurity and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR 820.30(g).
The cybersecurity management approach to be employed by the medical device manufacturer shall cover the following aspects:
- Identification of existing and potential cybersecurity issues and vulnerabilities;
- Analysis of the impact that the aforementioned vulnerabilities could potentially cause on the operations of the device itself, as well as on the health and safety of the patients;
- Assessment of the expected likelihood of the issues associated with such vulnerabilities;
- Identification of risk levels, determination of the strategies and approaches that could be applied in order to mitigate such risks;
- Assessment of residual risks associated with cybersecurity, as well as risk acceptance criteria.
Key Cybersecurity Functions
In order to assist medical device manufacturers in implementing the principles described above, the guidance provides recommendations regarding the particular functions related to cybersecurity, namely:
- Respond, and
The document further describes in detail each of these functions and how they should be implemented by the medical device manufacturer.
1. Identify and Protect. The Agency states that medical devices that can be connected to other devices, local or global networks, or even media require the most attention in terms of cybersecurity as opposed to those that are not connected in any way. The particular cybersecurity measures and controls to be applied depend numerous factors, including the intended use of the medical device in question, the environment in which it will be used, and identified vulnerabilities. The likelihood that these vulnerabilities will be exploited and the risks associated thereto, including causing potential harm to patients, should also be considered. At the same time, the manufacturer shall establish an optimal balance between ensuring the safety of the device in terms of cybersecurity-related matters and the general usability of the product. In this context, medical device manufacturers are encouraged to provide justification for the security functions implemented in their products.
2. Detect, Respond, Recover. The manufacturers shall develop and introduce functions that detect security issues taking place and provide all necessary information to the potential uses. Such information should describe the actions in the case of various cybersecurity issues arising. The Agency additionally emphasizes that the functions implemented by the manufacturer should be sufficient to ensure the normal operation of a medical device even if a cybersecurity issue occurs. Aside from this, there should be a technical possibility for an authenticated privileged user to recover the configuration of the device.
In summary, the present FDA guidance describes in detail the most important aspects to be considered by the medical device manufacturers in the context of cybersecurity issues. The document outlines the main responsibilities of the manufacturer and provides some recommendations to be taken into consideration on the various stages of a medical device development process.
How Can RegDesk Help?
RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.