FDA Guidance for Medical Device Cybersecurity: What Manufacturers Need to Know

19 Jul 2022

The importance of identifying vulnerabilities and controlling risk to demonstrate product safety and effectiveness

Right now cybersecurity is of the utmost importance in the medical device arena, both at the U.S. and global levels. In the U.S., the Food and Drug Administration (FDA) oversees the approval of medical devices before they can be placed on the market. However, when a medical device contains software, a whole different set of conditions must be met to satisfy safety requirements.

As the use of connected medical devices has increased – both in the clinical and home healthcare environments – the FDA has developed and issued draft guidance around cybersecurity. The most recent version was updated in April of this year and addresses cybersecurity at every stage of the product lifecycle in order to ensure device security and patient safety.

The FDA recommendations are not requirements, however manufacturers can use them as sort of a blueprint when developing medical devices that will require the FDA's approval. By following the guidance, a manufacturer will satisfy the FDA's expectations for cybersecurity and device effectiveness, helping to streamline the review and approval process. 

FDA pre-market submissions are required to be submitted for approval of medical devices, including those that contain software (including firmware) or programmable logic, as well as software as a medical device. The cybersecurity requirements encompass:

• Premarket notification (510(k) submissions
• De novo requests
• Premarket approval Applications (PMAs) and PMA supplements
• Product Development Protocols (PDPs)
• Investigative device exemption submissions (IDE)
• Humanitarian device exemption submissions (HDE)

The FDA's general principles for cybersecurity align with 21 CFR 820.30 design principles and focus on how to identify risks in your product, including cybersecurity risk in the design of your product and how those risks will be controlled in order to demonstrate a reasonable assurance of safety and effectiveness for certain devices with cybersecurity risks.

Take for example the cybersecurity risks associated with a wearable blood glucose monitor. Considered a home healthcare device, it is a software-enabled device used outside of a traditional healthcare setting to monitor blood sugar levels to help the user manage Type 1 or Type 2 diabetes. The results are transmitted to a smart phone or wearable device. In one scenario, the wearer can make a dosage decision based on the input received through monitoring. To the FDA this represents one level of risk as the software in the device or the wearable or mobile device can be hacked, resulting in incorrect or delayed results. In another scenario, the same software is used in a glucose pump that not only monitors blood sugar levels, but depending on the results, it automatically administers the necessary dosage of insulin. The same software is now considered a much higher risk by the FDA because it's dispensing medication, which could expose the wearer to physical danger.

This is just one example of why it's crucial when developing a connected medical device to identify the vulnerabilities in your software that could potentially lead to patient harm. To learn more about the key issues and considerations for connected medical devices, watch our on-demand webinar – FDA Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.