11 Mar FDA’s Updated Guidance on Cybersecurity
Outstanding innovations come with the heavy burden of dealing with new risks and threats. Especially when public health is at risk, FDA and other regulatory agencies attempt to provide guidance for companies to develop safe and effective products. With all the technological advancements in the digital health arena, medical devices are susceptible to attacks by hackers. To prevent this, FDA has instituted cybersecurity requirements in place to help protect public health and the safety and effectiveness of the medical devices.
Our blog CYBERSECURITY & MEDICAL DEVICES: A GENERAL OVERVIEW gives an insight into FDA’s thinking on the cybersecurity measures medical device companies should take and dives deeper into the guidance released by the FDA in 2014 on cybersecurity risk management requirements in pre-market submissions for medical devices. FDA released new draft guidance in Oct 2018 on cybersecurity requirements in pre-market submissions. The draft guidance is open for public comments until March 18, 2019.1
Let’s look at some of the updates in the new draft guidance:
The new FDA draft guidance is very closely aligned with the NIST’s (National Institute of Standards and Technology) cybersecurity framework.2
A new approach to device categorization: According to the level of cybersecurity risks, medical devices may be classified as either Tier 1 – ‘Higher Cybersecurity Risk’ or Tier 2- ‘Standard Cybersecurity Risk’. A device is a higher cybersecurity risk device if 1
- The device is capable of connecting (e.g., wired, wirelessly) to another medical or non-medical product, or to a network, or to the Internet; AND
- A cybersecurity incident affecting the device could directly result in patient harm.
Medical devices that do not meet the Tier 1 criteria are considered to be Tier 2.
The requirements for design documentation have also changed. For tier 1 devices, documentation must show that the device 1
- Prevents unauthorized use
- Ensures trusted content by maintaining code, data, and execution integrity
- Maintains confidentiality of data
- Is designed:
- To detect Cybersecurity Events in a timely fashion
- To respond to and contain the impact of a potential cybersecurity incident
- To recover capabilities or services that were impaired due to a cybersecurity incident.
Tier 2 devices may address the requirements listed above or at a minimum provide a risk-based rationale for why a cybersecurity design control was not necessary.
Along with the guidance, the FDA constantly rolls out cybersecurity safety communications to make the industry aware of any vulnerabilities that could allow cybersecurity breaches. FDA also advises medical device manufacturers to remain vigilant about identifying risks and hazards associated with their devices, including risks associated with cybersecurity.3
If you are planning to take your digital health device to market, call us at 248-987-4497 or email firstname.lastname@example.org.
1FDA (Oct 2018) Content of Premarket Submissions for Management of Cybersecurity in Medical Devices retrieved on 3/6/2019 from https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM623529.pdf
2Emergo (Oct 2018) US FDA Publishes Highly Anticipated Update to Medical Device Cybersecurity Recommendations retrieved on 03/06/2019 from https://www.emergobyul.com/blog/2018/10/us-fda-publishes-highly-anticipated-update-medical-device-cybersecurity-recommendations
3FDA- Cybersecurity retrieved on 3/6/2019 from https://www.fda.gov/medicaldevices/digitalhealth/ucm373213.htm