In honor of this month being Cybersecurity Awareness Month, this blog will delve into all of the regulatory requirements and considerations for medical device firms to take into account when developing a software as a medical device (SaMD). Its important to note that Cybersecurity is a critical component of software QA and risk management but is fundamentally a unique component of the overall software development umbrella and firms should be aware of the unique requirements.
Cybersecurity is an area that many firms may have noticed that the FDA is paying particular attention to in premarket submissions. As our world, and our devices, become more and more interconnected with advances in Wi-Fi and Bluetooth capabilities, the Agency has identified a more critical risk of cybersecurity issues like malware and information hacking. Subsequently, the FDA has harmonized additional guidances around how a medical device manufacturer should develop cybersecurity measures into their product, and what type of evidence they’ll be looking for in premarket submissions.
A Secure Product Development Framework (SPDF) is one way that firms can ensure they are complying with the quality system regulation, and thus ensuring safety and effectiveness for their SaMD. As a part of the overall SPDF, there are a few key cybersecurity objectives that firms should consider including:
- Updatability and patchability
All of these cybersecurity objectives will ensure that the device function and any information it stores/creates/transmits is safe. Additionally, they will ensure that the device is functional and available when users/patients expect and need it.
Any risks related to the cybersecurity objectives above should be captured in the device’s risk management file and appropriately mitigated following appropriate verification and validation. Additional standards exist that the FDA recommends manufacturers to use to bolster cybersecurity mitigations, such as AAMI TIR57, which documents methods to perform information security risk management specifically for medical devices.
One such method is Thread Modeling, which should identify any cybersecurity risks that are inherent in the device or could be introduced through the supply chain. The Threat Model will then become a critical component of the Risk Management File, with traceability to validated risk management measures.
As devices, and the forms of communication between them, get more advanced so to will the FDA’s approach to how they are regulated. Firms can expect much more scrutiny of their cybersecurity measures in their premarket submissions going forward.
 FDA (Sep 2023) Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions retrieved on 10/3/2023 from: https://www.fda.gov/media/119933/download