On April 08, 2022, the Food and Drug Administration (FDA) published a draft cybersecurity guidance document for medical devices, titled Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. The draft guidance covers a wide range of issues, including cybersecurity device design, labeling, and documentation. The guidance is intended to provide medical device makers a road map on how to satisfy the FDA’s quality system and patient safety regulations and how to address cybersecurity considerations within their premarket submissions.

The FDA’s draft guidance was released shortly before a report underlining the cybersecurity security practice deficiencies of various medical device makers. On April 20, 2022, Cybellum – a company specializing in assessing product security – reported the results of its 2022 medical device cybersecurity survey in an article titled Medical Device Cybersecurity: Trends and Predictions. The survey found that, although 83% of the medical device companies surveyed saw device security as a competitive edge, 75% of respondents noted that they do not have a dedicated senior management who takes responsibility for device cybersecurity.

The Cybellum survey also revealed that only about a quarter of the medical device companies surveyed (27%) generate and maintain a Software Bill-of-Materials (SBoM) for their products. An SBoM is a formal record containing the details and supply chain relationships of various components used in building software. President Joe Biden previously highlighted the importance of an SBoM in his Executive Order on Improving the Nation’s Cybersecurity from May 2021. Moreover, the National Telecommunications and Information Administration published The Minimum Elements for an SBoM on July 21, 2021, in an effort to bring “transparency to the components and connections within and across supply chains.”

The FDA’s draft cybersecurity guidance document is available here and is available for stakeholder comments until July 7, 2022.