The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of medical devices, has published a guidance document dedicated to the postmarket management of cybersecurity in medical devices. The document highlights the most important aspects to be considered by medical device manufacturers and other parties involved in operations with medical devices in the context of cybersecurity matters related to devices already placed on the market.
Due to its legal nature, the FDA guidance is a non-binding document that provides additional clarifications and recommendations. Accordingly, it is not intended to introduce new rules and requirements. Moreover, the Agency explicitly states that an alternative approach could be applied, provided such an approach complies with the current regulatory requirements and has been approved by the authority in advance.


First, the guidance provides the definitions of the most important terms and concepts used, including the following:

  1. Compensating Controls are the safeguards or countermeasures deployed, in lieu of, or in the absence of controls designed in by a device manufacturer. It is further explained that these measures are external and should be introduced by the user in accordance with the instructions provided by the manufacturer. 
  2. Controlled Risk stands for a sufficiently low (acceptable) residual risk of patient harm due to a device’s particular cybersecurity vulnerability. 
  3. Cybersecurity Routine Updates and Patches are explained as changes to a device to increase device security and/or remediate only those vulnerabilities associated with controlled risk of patient harm. At the same time, the authority emphasizes that the scope of this concept does not cover modifications introduced by the manufacturer in order to repeal non-compliance with applicable regulatory requirements or reduce uncontrolled risk. It is mentioned that such modifications are scheduled in advance and could take place in the form of software updates or hardware upgrades or in any other form depending on the design of a medical device in question. As mentioned, such modifications are considered device enhancements and not repair. Apart from actual changes to the device itself, these changes could also include changes to the labeling, instructions for use, or any other documentation accompanying the device. Due to their legal nature, such changes are not subject to reporting to the FDA. However, updates introduced in order to mitigate risks potentially resulting in severe health deterioration fall beyond the scope of regular updates described herein. 
  4. Threat refers to any circumstance or event with the potential to adversely impact the device, organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, or other organizations through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. 
  5. Threat Modeling is a methodology for optimizing Network/Application/Internet Security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system. According to the guidance, such an approach could be applied for identifying vulnerabilities associated with a medical device. 
  6. Uncontrolled Risk refers to the unacceptable residual risk of patient harm due to inadequate compensating controls and risk mitigations. 
  7. Vulnerability stands for a weakness in an information system, system security procedures, internal controls, human behavior, or implementation that could be exploited by a threat. 

General Principles 

As mentioned in other guidance documents issued by the FDA and dedicated to cybersecurity matters, in the authority’s point of view, the responsibilities in the sphere of cybersecurity should be shared among all the parties involved in operations with medical devices. Hence, ensuring protection against cybersecurity risks requires the efficient cooperation of medical device manufacturers, healthcare institutions, and users. The negative consequences could include not only the harm that could be caused to a patient but also disclosure of personal and medical data, which is quite sensitive in nature, or the impact caused to other medical devices connected to the same network. It is stated that effective cybersecurity risk management is intended to reduce the risk to patients by decreasing the likelihood that device functionality is intentionally or unintentionally compromised by inadequate cybersecurity. In order to ensure that this goal is achieved, the appropriate measures should be duly taken on all the stages of a product’s lifecycle, including both premarket and postmarket stages. 

When describing the aspects to be considered at the premarket stage, the authority refers to its guidance document dedicated to the content of premarket submissions for management of cybersecurity in medical devices, which provides additional recommendations for medical device manufacturers. In particular, the Agency encourages medical device manufacturers (software developers) to consider cybersecurity matters at early design and development stages as in this case, it would be possible to implement necessary measures and controls, and such implementation would require less time and resources in comparison to implementing similar changes at later stages. It is stated that the appropriate measures should be reflected in the design inputs describing the requirements the device should meet. According to the guidance, the matters to be covered should include such elements as: 

  • Identification of assets, threats, and vulnerabilities;
  • Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients;
  • Assessment of the likelihood of a threat and of a vulnerability being exploited;
  • Determination of risk levels and suitable mitigation strategies;
  • Assessment of residual risk and risk acceptance criteria. 

Apart from the measures to be taken during design and development, the guidance also highlights the key points to be considered after the device is placed on the market. In particular, the authority states that cybersecurity risks could not be fully mitigated by measures and controls implemented at the premarket stage. Hence, medical device manufacturers should duly develop and implement comprehensive cybersecurity risk management programs describing the approach to be applied to mitigate in the most efficient manner the risks associated with a medical device. Additionally, medical device manufacturers should, without undue delay, implement additional measures necessary to address newly identified vulnerabilities. As stated in the guidance, such a cybersecurity risk management program should cover the following aspects:

  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
  • Understanding, assessing, and detecting presence and impact of a vulnerability;
  • Establishing and communicating processes for vulnerability intake and handling;
  • Using threat modeling to clearly define how to maintain safety and essential performance of a device by developing mitigations that protect, respond and recover from the cybersecurity risk. 

In summary, the present article describes the suggested approach to be applied by medical device manufacturers with regard to cybersecurity risks. The document outlines the most important aspects to be considered in both premarket and postmarket stages of a medical device’s lifecycle. 


How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple. ​