The FDA has issued the Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions guidance that includes recommendations to industry regarding cybersecurity device design, labeling, and the documentation that the FDA recommends be included in premarket submissions for devices with cybersecurity risk. These recommendations are intended to promote consistency, facilitate efficient premarket review, and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats. This document supersedes the final guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” issued October 2, 2014.
The guidance is applicable to devices with cybersecurity considerations, including but not limited to devices that have a device software function or that contain software (including firmware) or programmable logic. It doesn’t have to be a connected device. It outlines some key goals, including ensuring that companies put security needs at the core of the design, being transparent about all cybersecurity aspects and controllers, both with all companies involved and end users (including labeling for devices), having processes in place that test and audit the cybersecurity measures, as well as adequate cybersecurity management plans. It also encourages interoperability as well as creating a set of processes that reduce the number and severity of vulnerabilities in products (Secure Product Development Framework [SPDF]).
Device cybersecurity design and documentation are expected to scale with the cybersecurity risk of that device. FDA requires manufacturers to implement development processes that account for and address software risks throughout the design and development process as part of design controls, as discussed in the FDA’s regulations regarding design control, which may include cybersecurity considerations.
The guidance includes recommendations on how to implement adequate Security Control Categories architecture, as well as how to present Submission Documentation for Security Architecture Flows.
How Avania Can Help
In this new cyber landscape, Avania is happy to assist clients with this additional documentation for the submissions (including Documentation for Security Architecture Flows, Documentation for Investigational Device Exemptions, General Premarket Submission Documentation Elements and Scaling with Risk), as well as providing industry benchmarking recommendations on your SPDF. Contact our team today.