New FDA Guidance for Medical Device Cybersecurity

Medical Device Cybersecurity has been a hot topic as medical information is increasingly being exchanged electronically, including medical device monitoring.  The FDA has been issuing guidance ever since 1998, when the organization first addressed the issue of software in medical devices.  Now, a new guideline has been released.  Titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” it’s the final publication for a draft that was issued in 2013.  You’ll use it to review how you reduce the risk that your device functionality will be compromised by inadequate software security issues.

The new guidance is intended to supplement the information that’s found in 2 previous FDA guidance documents:  “Guidance for Industry – Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software” and “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices.”  It’s divided into various clauses, beginning with an introduction and then a scope paragraph.

Next is a definitions section, Clause 3, which relies heavily on terms and definitions found in ANSI/AAMI/ISO 14971.  Following this, Clause 4 provides you with the general principles that the FDA uses in assessing the cybersecurity controls a given developer or manufacturer uses in their products.

Section 5 covers cybersecurity functions, the mantra of identify, protect, detect, respond and recover.  Here you’ll find the detailed suggestions for how to provide limited access to software by trusted users only, ensuring trusted content, and so on.

Section 6 is particularly useful, as it provides the recommendations of the agency for the type of documentation they expect to see in your premarket submission.  Of course, the recommendations expect that you’ll have support for the implementation and management of this issue as part of your quality system as defined in the Quality System Regulation (including Design Controls).

The new publication concludes with a list of FDA recognized consensus standards that deal with IT (information technology) and software security for medical devices.  Of the 6 referenced standards, five have IEC as the source organization and one has been developed by CLSI.

If software, including any networked components, is part of your medical device, you’ll want to get a copy of this new guidance on medical device cybersecurity.  Head to Document Center’s webstore at www.document-center.com.  There you can pick up a copy in either paper format or for pdf download.  You can even add it to your Standards Online multi-user subscription service.

Benefits?  When the document is updated, you’ll be notified.  And you’ll have the support of our team of experts here at Document Center.  You can register on our site and easily review the status of all standards purchased from us at any time.  And there’s loads of other services offered by Document Center Inc. that can make it far easier to maintain and control your collection of compliance documentation.  Thousands have made Document Center their preferred standards source.  Do the same and make us your Standards Experts!