FDA unveils medical device cybersecurity guidance

The FDA’s Center for Devices and Radiological Health (CDRH) has issued its long-awaited final guidance on cybersecurity issues that manufacturers should consider when designing and developing medical devices and preparing for premarket submissions.

The need for effective cybersecurity to assure medical device functionality and safety has grown, especially as devices are increasingly connected to the internet and exchange health information, according to the agency.

“There is no such thing as a threat-proof medical device,” Suzanne Schwartz, MD, MBA, director of emergency preparedness/operations and medical countermeasures at CDRH, said in a statement. “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.” 

The nine-page guidance, Content of Premarket Submission for Management of Cybersecurity in Medical Devices, applies to premarket medical device submissions received beginning on Oct. 1. It recommends that the following types of information are disclosed in a submission:

  • A justification of the security functions chosen for their medical devices;
  • A list of cybersecurity risks considered in the medical device’s design;
  • A matrix that traces those risks considered to the appropriate controls; and,
  • A systematic plan for providing patches and updates to operating systems or medical device software.

The FDA has scheduled a webinar on Oct. 29 to further explain the guidance. It also has scheduled a public workshop Oct. 21-22 to gain stakeholder feedback on medical device and healthcare cybersecurity. Learn more here.