Final FDA Premarket Cybersecurity Guidance

FDA released its final guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”.

This guidance states that device manufacturers should develop cybersecurity controls as part of device development “to assure medical device cybersecurity and maintain medical device functionality and safety.”. This should include establishing design inputs for cybersecurity, including addressing vulnerabilities as part of the software validation and risk analysis process under 820.30(g). It provides a list of elements for this in Section 4.

The guidance recommends that the core functions guiding cybersecurity activities include: Identify, Protect, Detect, Respond, and Recover.

Section 6 defines cybersecurity information to be included in premarket submissions:
1. Hazard Analysis related to cybersecurity
2. Trace matrix of cybersecuirty controls to risks
3.A summary describing the plan for providing validated software updates and patches during use
4. A summary describing controls to ensure the device maintains its integrity in use
5. Labeling to describe controls related to the intended use environment (e.g. firewalls).

The guidance then lists a number of relevant standards including 80002-1 and 80002-2 for networked medical devices and CLSI, AUTO11-A for IVDs.

The full guidance can be downloaded here:  2014-10-Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. SoftwareCPR has been helping clients identify cybersecurity risks and controls and prepare cybersecurity information in premarket submissions for many years as part risk analysis information and can help you conform to the requirements of this new guidance.

Upcoming Training

Agile Methods for Medical Device and Health IT Software

One day course that expands on the software risk management topics covered in our IEC 62304 and other Emerging Standards for Medical Device and HealthIT Software course. Essentially the same topics are covered but in greater depth with more attention to hands-on analysis of examples.

Email training@softwarecpr.com for more info.

Corporate Office

15148 Springview St
Tampa, FL 33624
USA
+1-781-721-2921
Partners located in the US (CA, FL, MA, MN) and Italy.