FDA Issues New Guidance on Cybersecurity for Medical Devices


On Friday, the Food and Drug Administration (FDA) issued draft guidance entitled Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.

Cybersecurity concerns have increasingly become an issue with medical devices. The FDA guidance explains that “cybersecurity threats to the healthcare sector have become more frequent and more severe, carrying increased potential for clinical impact”

“Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the U.S. and globally. Such cyber attacks and exploits may lead to patient harm as a result of clinical hazards, such as delay in diagnoses and/or treatment,” the agency said.

The new guidance specifically concerns: “Premarket Notification (510(k)) submissions; De Novo requests; Premarket Approval Applications (PMAs) and PMA supplements; Product Development Protocols (PDPs); Investigational Device Exemption (IDE) submissions; and Humanitarian Device Exemption (HDE) submissions.” The FDA specifically notes that the original guidance was intended to have the security addressed at one point during the medical device proceedings with the FDA, but newer threats, such as the WannaCry virus have forced medical device providers to use a more iterative approach which the new guidance seeks to accommodate.

The new guidance includes several general principles that the FDA will be requiring as a part of this cybersecurity, including:

  1. Use of a Secure Product Development Framework to provide iterative security measures;
  2. Security design around security objectives, including: Authenticity, which includes integrity,  Authorization, Availability, Confidentiality, and Secure and timely updatability and patchability;
  3. Transparency, including providing information about security risks or breaches that may affect a products usability, user manuals and guidance to allow patients to properly configure and maintain the devices for privacy expectations, and disclosure of communication interfaces to maintain security of upload to remote devices; and
  4. Proper and timely documentation and submission of security information to the FDA.

Comments on the guidance are open until July 7.