FDA Cybersecurity Draft Guidance

Office: Professional White IT Programmer Uses Headphones while Working on Desktop Computer. Male Website Developer, Software Engineer Developing App, Video Game. Listening to Podcast, Music.
Resources

FDA Cybersecurity Draft Guidance

Authors: Helen Simons

The FDA released a new Cybersecurity draft guidance on April 2022. It is intended to replace the current final guidance from 2014 which is well overdue an update. The draft guidance significantly expands requirements for cybersecurity activities and documentation for medical devices. The intention is to align medical device development with current best practices from other industries. This white paper reviews these new requirements and considers their impact on medical device developments.

The current finalised guidance on Cybersecurity was released in 2014 and is 9 pages long. This new draft guidance expands to a hefty 49 pages. The FDA tried to update this guidance in 2018 but it did not progress beyond draft due to the number of comments received.

The current guidance covers the following documentation requirements:

  • Risk assessment
  • Traceability matrix
  • Software updates plan
  • Software integrity controls
  • Device instructions for use covering cybersecurity (no specific guidance on content)

The process guidance only spans 2 pages with the steps: Identify, Protect, Detect, Respond and Recover. However, they include recommendations for applicable standards which could be followed to help implement this process.

This draft guidance describes recommendations regarding cybersecurity information to be submitted for devices under the following premarket submission types:

  • Premarket Notification (510(k)) submissions
  • De Novo requests
  • Premarket Approval Applications (PMAs) and PMA supplements
  • Product Development Protocols (PDPs);
  • Investigational Device Exemption (IDE) submissions; (with a note that content is expected to be less mature)
  • Humanitarian Device Exemption (HDE) submissions.

This guidance document is applicable to devices that contain software (including firmware) or programmable logic, as well as software as a medical device (SaMD). It is important to note this guidance is not limited to devices that are network-enabled or contain other connected capabilities; hence, it needs to be considered for a wider range of products than previously covered.

FDA Cybersecurity Draft Guidance

Female IT Programmer Working on Desktop Computer in Data Center System Control Room. Team of Young Professionals Doing Code Programming