Earlier this month, the Food and Drug Administration (“FDA”) issued Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. This draft guidance document, which replaces the prior 2018 draft guidance, is “intended to further emphasize the importance of ensuring that devices are designed securely, are designed to be capable of mitigating emerging cybersecurity risks throughout the Total Product Life Cycle, and to clearly outline FDA’s recommendations for premarket submission content to address cybersecurity concerns.”
It is a reflection of the FDA’s assessment that “[a]s more medical devices are becoming interconnected, cybersecurity threats have become more numerous, more frequent, more severe, and more clinically impactful. As a result, ensuring medical device safety and effective includes adequate medical device cybersecurity, as well as its security as part of the larger system.”
The draft guidance, which is available here, is available for comment by stakeholders until July 7, 2022.
Previously, the FDA issued guidance providing recommendations for device cybersecurity information in premarket submissions in 2014. However, in response to a rapidly evolving cyber landscape and the increased understanding of the threats, the FDA issued a draft guidance in 2018 entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” The recently released draft guidance supplants the draft 2018 guidance entitled, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” issued October 18, 2018.