Recent hacking and data breach incidents have shown that as technology continues to advance, there is an ever-increasing need for effective cybersecurity. This need extends beyond protecting individuals’ private information on the internet and on their smartphones. On October 2, the U.S. Food and Drug Administration released an industry guidance document entitled "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices."
According to the FDA, “Effective cybersecurity management is intended to reduce the risk to patients by decreasing the likelihood that device functionality is intentionally or unintentionally compromised by inadequate cybersecurity.” Cybersecurity is defined in the industry guidance as “the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.”
The FDA recommends that manufacturers develop controls to ensure medical device cybersecurity and to maintain the functionality and safety of their devices. Failure to do so, the FDA warns, may result in compromised functionality, loss of data, and exposure to network and security threats to connected medical devices. The FDA further recommends that medical device manufacturers implement a cybersecurity framework consistent with the framework established by the National Institute of Standards and Technology.
The industry guidance outlines the FDA’s recommendations to the medical device industry regarding information to include in premarket submissions in order to achieve effective cybersecurity management. The FDA’s recommendations apply to the following premarket submissions for medical devices that contain software or programmable logic and software that meets the definition of "medical device":
- 510(k) Premarket Notifications
- De novo submissions
- Premarket Approval Applications
- Product Development Protocols
- Humanitarian Device Exemption submissions
The FDA further recommends that device manufacturers provide the following cybersecurity-related information as part of their premarket submissions:
- Hazard analysis, mitigation, and design considerations related to security risks associated with the medical device;
- Links between cybersecurity controls and risks associated with the medical device;
- Summary of the plan to provide validated software updates to the medical device throughout its lifecycle;
- Summary of the controls to ensure software integrity; and
- Instructions for use and product specifications related to cybersecurity controls.
The industry guidance sets forth the FDA’s suggestions to the industry but is not legally enforceable.