The FDA's 2018 Cybersecurity Guidance

by J. David Giese on August 12, 2021

In October of 2018 the FDA released a draft cybersecurity guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” which is meant to replace its 2014 guidance with the same name. As of August 2021, the guidance is still a draft.

Although most medical device engineers will find the guidance easy to read, it’s long and has some irrelevant content. For example, the FDA traces their authority back to the various legal statutes. This article prunes, summarizes, and reorganizes the original guidance documents to make it easier for software engineers to read. Here’s a link to the actual guidance if you need the details.

Thank you to everyone at the FDA for their efforts to keep patients safe and make device manufacturers’ jobs as easy as possible through these guidance documents.

If you’re overwhelmed by regulations, guidance documents, and standards, we can help. We provide turn-key engineering solutions with cybersecurity best practices built into our standard agile processes using our open-source regulatory documentation manager. Contact us if you’d like a team that helps bring your device to the market as quickly as possible. If you have an engineering team, we can also help you with cybersecurity.

Motivation 🔗

The need for effective cybersecurity to ensure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network-connected devices, portable media (e.g. USB or CD), and the frequent electronic exchange of medical device-related health information. In addition, cybersecurity threats to the healthcare sector have become more frequent, more severe, and more clinically impactful. Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the US and globally. Such cyberattacks and exploits can delay diagnoses and/or treatment and may lead to patient harm.

The FDA recommends industry utilize the FDA presubmission process to discuss design considerations for meeting adequacy of cybersecurity risk management throughout the device life-cycle.

Cybersecurity risk tiers 🔗

The FDA classifies devices into two cybersecurity tiers. A device is Tier 1, “Higher Cybersecurity Risk,” if the following criteria are both met:

  1. The device is capable of connecting to another medical or non-medical product, or to a network, or to the Internet
  2. A cybersecurity incident affecting the device could directly result in patient harm to multiple patients

A device is Tier 2, “Standard Cybersecurity Risk,” if it doesn’t meet the criteria to be Tier 1.

Cybersecurity design controls 🔗

Premarket submissions for Tier 1 devices should demonstrate how the device design and risk assessment incorporate the design controls listed below. Tier 2 devices may provide a risk-based rationale for why specific design controls are not appropriate.

Limit access to trusted users & devices only 🔗

Authenticate and check authorization of safety-critical commands 🔗

Maintain code, data, and execution integrity 🔗

Detect cybersecurity events in a timely fashion 🔗

Respond to and contain the impact of a potential cybersecurity incident 🔗

Recover capabilities or services that were impaired due to a cybersecurity incident 🔗

Cybersecurity documentation 🔗

Labeling 🔗

When drafting labeling for inclusion in a premarket submission, a manufacturer should consider all applicable labeling requirements and how informing users through labeling may be an effective way to manage cybersecurity risks. Specifically, we recommend the following be included in labeling to communicate to end-users relevant security information:

Design 🔗

Risk management 🔗

Risk assessments tie design to threat models, clinical hazards, mitigations, and testing.

Cybersecurity risk management documentation should include:

We can help 🔗

If you’re overwhelmed by regulations, guidance documents, and standards, we can help. We provide turn-key engineering solutions with cybersecurity best practices built into our standard agile processes using our open-source regulatory documentation manager. Contact us if you’d like a team that helps bring your device to the market as quickly as possible. If you have an engineering team, we can also help you with cybersecurity.

Get Medtech Software Tips

Subscribe using RSS

How frequently are they sent?

We send out tips about once a month.

What will I read?

Articles about software development, AI, signal and image processing, medical regulations, and other topics of interest to professionals in the medical device software industry.

You may view previous articles here.

Who creates the content?

The Innolitics team, and experts we collaborate with, write all of our articles.

Want to know more?

Contact us.