FDA’s Updated Guidance on Cybersecurity

by | Mar 11, 2019 | Cybersecurity, FDA, Medical Devices, Quality Systems, Regulatory

Outstanding innovations come with the heavy burden of dealing with new risks and threats. Especially when public health is at risk, FDA and other regulatory agencies attempt to provide guidance for companies to develop safe and effective products. With all the technological advancements in the digital health arena, medical devices are susceptible to attacks by hackers. To prevent this, FDA has instituted cybersecurity requirements in place to help protect public health and the safety and effectiveness of the medical devices.

Our blog CYBERSECURITY & MEDICAL DEVICES: A GENERAL OVERVIEW gives an insight into FDA’s thinking on the cybersecurity measures medical device companies should take and dives deeper into the guidance released by the FDA in 2014 on cybersecurity risk management requirements in pre-market submissions for medical devices. FDA released new draft guidance in Oct 2018 on cybersecurity requirements in pre-market submissions. The draft guidance is open for public comments until March 18, 2019.1

Let’s look at some of the updates in the new draft guidance:

The new FDA draft guidance is very closely aligned with the NIST’s (National Institute of Standards and Technology) cybersecurity framework.2

A new approach to device categorization: According to the level of cybersecurity risks, medical devices may be classified as either Tier 1 – ‘Higher Cybersecurity Risk’ or Tier 2- ‘Standard Cybersecurity Risk’. A device is a higher cybersecurity risk device if 1

  • The device is capable of connecting (e.g., wired, wirelessly) to another medical or non-medical product, or to a network, or to the Internet; AND
  • A cybersecurity incident affecting the device could directly result in patient harm.

Medical devices that do not meet the Tier 1 criteria are considered to be Tier 2.

The requirements for design documentation have also changed. For tier 1 devices, documentation must show that the device 1

  • Prevents unauthorized use
  • Ensures trusted content by maintaining code, data, and execution integrity
  • Maintains confidentiality of data
  • Is designed:
  • To detect Cybersecurity Events in a timely fashion
    • To respond to and contain the impact of a potential cybersecurity incident
    • To recover capabilities or services that were impaired due to a cybersecurity incident.

Tier 2 devices may address the requirements listed above or at a minimum provide a risk-based rationale for why a cybersecurity design control was not necessary.

Along with the guidance, the FDA constantly rolls out cybersecurity safety communications to make the industry aware of any vulnerabilities that could allow cybersecurity breaches. FDA also advises medical device manufacturers to remain vigilant about identifying risks and hazards associated with their devices, including risks associated with cybersecurity.3

If you are planning to take your digital health device to market, call us at 248-987-4497 or email info@emmainternational.com.

1FDA (Oct 2018) Content of Premarket Submissions for Management of Cybersecurity in Medical Devices retrieved on 3/6/2019 from https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM623529.pdf

2Emergo (Oct 2018) US FDA Publishes Highly Anticipated Update to Medical Device Cybersecurity Recommendations retrieved on 03/06/2019 from https://www.emergobyul.com/blog/2018/10/us-fda-publishes-highly-anticipated-update-medical-device-cybersecurity-recommendations

3FDA- Cybersecurity retrieved on 3/6/2019 from https://www.fda.gov/medicaldevices/digitalhealth/ucm373213.htm


Nikita Angane

Nikita Angane

Solutions Delivery Specialist - Ms. Angane is a Bioengineering graduate with experience in medical device commercialization, product development, quality system compliance and regulatory affairs. Her portfolio includes working on medical devices, combination products, and pharmaceuticals. As a Solutions Delivery Specialist at EMMA International, she offers her expertise to help our clients achieve an effective and sustainable quality system, and develop regulatory strategies for market access and compliance of new products in the US and international markets. Ms. Angane earned a Bachelor of Engineering in Biomedical Engineering from the University of Mumbai, India and an M.S. in Bioengineering from University of Illinois at Chicago.

More Resources

FDA Adverse Event Reporting 

FDA Adverse Event Reporting 

When reporting an Adverse Event to the Food and Drug Administration (FDA) the best method is to utilize the FDA Adverse Event Reporting System (FAERS). FAERS is a database that contains adverse event reports, product quality complaints that led to an adverse event, and medication error reports1. All FAERS reports are easily accessible to the public. 
De Novo Classification

De Novo Classification

A device can be registered for the De Novo pathway if there is evidence of the safety and effectiveness of the device and there is not a previously legally marketed predicate device1. When determining if your device can go through the De Novo process there are two pathways available to determine the device classification.
Abbreviated 510k submission

Abbreviated 510k submission

There are three types of 510K, Premarket Notifications, which can be submitted to the Food and Drug Administration (FDA) traditional, abbreviated, and special. Abbreviated and Special 510K submissions can be utilized when the submissions meet the certain factors presented by the FDA. When submitting an abbreviated 510K the submission must include the elements that are identified in 21CFR 807.87 for the information required in a premarket notification submission.

Ready to learn more about working with us?

Pin It on Pinterest

Share This