FDA has released a new draft of Premarket Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. Per the scope, this 2022 FDA Premarket Cybersecurity Guidance “is applicable to devices that contain software (including firmware) or programmable logic, as well as software as a medical device (SaMD). The guidance is not limited to devices that are network-enabled or contain other connected capabilities.”
You can download the guidance here: Premarket-Cybersecurity-Guidance draft-April-2022
Cybersecurity in Medical Devices
Quality System Considerations and Content of Premarket Submissions
Draft Guidance for Industry and Food and Drug Administration Staff
This draft guidance document is being distributed for comment purposes only.
Document issued on April 8, 2022.
- Secure Product Development Framework (SPDF)
FDA is using the terminology of a “secure product development framework (SPDF) which they define as “a set of processes that help reduce the number and severity of vulnerabilities in products.” Each manufacturer should consider how security fits into the overall product development lifecycle – not just an activity prior to or close to the time of a product release to the field. To ensure this happens, the quality management system (QMS) would likely need security related activities institutionalized into SOPs and design and development plan (DDP) templates. As with any quality related activities, proper evidence in documentation and records would be expected to make the quality argument.
- Design for Security
Obviously the QMS should have required design activities for security. This translates into security related activities in:
- Risk management
- Product requirements and software requirements
- Design review and design verification
- Design validation
The guidance lists these clear security objectives:
- Authenticity, which includes integrity
- Secure and timely updatability and patchability
- Understanding the Risks
A common pitfalls is to begin security activities without first understanding the role security will play based on the intended use of the product.
End users must be aware of any vulnerabilities and how it might affect their use of the product. Adopt a mindset that information should not be withheld or hidden from end-users – involve them in the overall security equation.
- “Living” document
The cybersecurity risk analysis is a “living” document. One would expect the revision history (or new reports) to occur periodically as more information is gained on the threats and on the “real world” effectiveness of the cyber controls.
What actions do we recommend?
In response to this FDA Premarket Cybersecurity Guidance, we would recommend that you evaluate your design controls process and software development lifecycle process against this guidance document. Do you have the expected activities? Do you have the proper documents and records to perform adequate accident or breach incident investigation?
We can help. We can review your procedures and provide recommendations for a more robust SPDF.