The U.S. Food and Drug Administration issued a draft guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, which provides updated recommendations to industry on cybersecurity considerations for device design, labeling and documentation that the FDA recommends be included in premarket submissions for medical devices with cybersecurity risk.
The updated draft guidance builds on the framework that the FDA established in its earlier guidance, finalized in 2014, for helping manufacturers consider cybersecurity in the design and development of their medical devices. These updated recommendations will facilitate an efficient premarket review process and help ensure that medical devices are designed to sufficiently address cybersecurity threats before the devices are on the market.
The draft guidance incorporates new recommendations, including a “cybersecurity bill of materials,” which is a list of commercial and/or off-the-shelf software and hardware components of a device that could be susceptible to vulnerabilities. Depending on the level of cybersecurity risk associated with a device, this list can be an important resource to help ensure that device users are able to respond quickly to potential threats. The draft guidance also introduces two tiers of devices—those with higher cybersecurity risk, including implanted devices such as pacemakers or neurostimulation devices, and standard cybersecurity risk, which includes devices that contain software—based on potential harm to patients from cybersecurity threats. The draft guidance outlines the documentation for inclusion in a premarket submission to the agency to demonstrate that the design of the medical device has adequately mitigated risk.
The agency also announced today a public workshop will be held on Jan. 29-30, 2019 to discuss the newly released draft guidance, which will bring together diverse stakeholders for an in-depth discussion to obtain feedback on the draft guidance.