FDA released its final guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”.
This guidance states that device manufacturers should develop cybersecurity controls as part of device development “to assure medical device cybersecurity and maintain medical device functionality and safety.”. This should include establishing design inputs for cybersecurity, including addressing vulnerabilities as part of the software validation and risk analysis process under 820.30(g). It provides a list of elements for this in Section 4.
The guidance recommends that the core functions guiding cybersecurity activities include: Identify, Protect, Detect, Respond, and Recover.
Section 6 defines cybersecurity information to be included in premarket submissions:
1. Hazard Analysis related to cybersecurity
2. Trace matrix of cybersecuirty controls to risks
3.A summary describing the plan for providing validated software updates and patches during use
4. A summary describing controls to ensure the device maintains its integrity in use
5. Labeling to describe controls related to the intended use environment (e.g. firewalls).
The guidance then lists a number of relevant standards including 80002-1 and 80002-2 for networked medical devices and CLSI, AUTO11-A for IVDs.
The full guidance is at the link provided. SoftwareCPR has been helping clients identify cybersecurity risks and controls and prepare cybersecurity information in premarket submissions for many years as part risk analysis information and can help you conform to the requirements of this new guidance.