On November 2nd, 2023, the FDA organized a webinar to discuss the recently issued Final Guidance for Medical Device Cybersecurity. This final guidance was issued on September 27, 2023.
The objectives of the webinar were to:
-
- Describe the scope of the guidance
- Describe general principles in the guidance.
- Describe design and documentation recommendations.
- Describe transparency recommendations.
- Describe changes and updates from the 2022 draft guidance.
Navigating FDA cybersecurity regulations for medical devices
Regarding the scope of the FDA Final Guidance for Medical Device Cybersecurity, the guidance applies to devices that contain software (including firmware) or programmable logic, as well as devices that have a device software function. The guidance is not limited to devices that are network-enabled or contain other connected capabilities. As such, the guidance now covers requirements for submissions within both the Center for Devices and Radiological Health (CDRH) and the Center for Biologics Evaluation and Research (CBER). The additional requirements for Biologics License Application (BLA) and Investigational New Drug (IND) submissions were new in this guidance.
Introduction for Cyber Device requirements
The regulatory requirements for “Cyber Devices” were introduced by the Consolidated Appropriations Act for 2023 which was signed into law on December 29, 2022, and includes the Food and Drug Omnibus Reform Act (FDORA) which adds Section 524B to the FD&C Act. The new guidance documentation was intended to help manufacturers comply with requirements under Section 524B.
Section 524B(c) defines a Cyber Device as a device that:
-
- Includes software that a sponsor has validated, installed, or authorized as a device or in a device;
- Has the ability to connect to the internet; and
- Contains any such technological characteristics a sponsor has validated, installed, or authorized that could be vulnerable to cybersecurity threats.
Principles to ensure FDA medical device cybersecurity regulations
The general principles to ensure cybersecurity are provided within the guidance document. Some key concepts include:
-
- Considering cybersecurity as part of device safety and Quality System.
- Proactively designing the device for security. This may include security risk management, security architecture, and cybersecurity testing.
- Transparency with disclosures to end users such as through labelling.
- Appropriate documentation within a submission to support cybersecurity. Appropriate types of documentation are listed within the guidance document such as Thread Modeling, Cybersecurity Risk Assessment, Interoperability assessment, Security Risk Management Report, Software Bill of Materials (SBOM), etc.
Software bill of materials
The content and format of Software Bill of Materials (SBOM) was also discussed. The National Telecommunications and Information Administration (NTIA) Multistakeholder Process on Software Component Transparency (2021). Provides a common framework of what should be included in an SBOM.
Independent experts or third parties testing cybersecurity regulations
With regards to cybersecurity testing, this should be performed by independent experts or third parties. This testing could include:
-
- Security Requirement Testing
- Threat Mitigation
- Vulnerability Testing
- Penetration Testing
Cybersecurity Management Plan
A Cybersecurity Management Plan is also required to ensure post-market safety of the device throughout its life cycle. Such a plan could include:
-
- Periodic security testing to test identified vulnerability impact.
- Timeline to develop and release patches and overall patching capability
Furthermore, Appendix 4 of the new guidance lists the appropriate types of documents required in a pre-market submission.
Changes added from the 2022 draft guidance
The key changes that were added from the 2022 draft guidance included:
-
- An expanded scope to include CBER submission types, considerations for combination products, and elements from Section 524B.
- Structural changes to include appropriate documentation for pre-market submissions such as Cybersecurity Risk Assessment, interoperability, etc.
- SBOM which aligns with the 2021 NTIA SBOM Framing Document.
Learn more about FDA cybersecurity medical device regulations with Medenvoy
MedEnvoy’s regulatory experts can assist manufacturers in staying compliant with the latest FDA cybersecurity medical device requirements. Please reach out should you need assistance with premarket or post-market cybersecurity regulatory requirements by clicking here and for information about our regulatory experts click here.
Additional resources
Related Guidance
We share our expertise because we believe in removing barriers to global commercialization.
The Business Impact of EUDAMED on Market Access
The European Database on Medical Devices (EUDAMED) is often viewed by manufacturers purely as a compliance burden when…
MedEnvoy at RAPS Euro Convergence 2026
We are excited to share that MedEnvoy will be participating in RAPS Euro Convergence 2026 as an exhibitor! This year’s…
Key FDA Changes MedTech Manufacturers Need to Know
The FDA has issued an update for MedTech Manufacturers to its List of FDA-Recognized Consensus Standards, published as …