New FDA Draft Guidance "Cybersecurity in Medical Devices"
On 8 April 2022, the FDA (Center for Devices and Radiological Health - CDRH in collaboration with the Center for Biologics Evaluation and Research - CBER) published a "Draft Guidance for Industry and Food and Drug Administration Staff - Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions". The draft is open for comment during 90 days at the "Dockets Management Staff, Food and Drug Admininstration".
Once finalised, the draft will replace the previous Guidance "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" of 2 October 2014.
Structure of the Guidance
The very comprehensive document is divided into 6 chapters and 4 appendices:
- Introduction
- Scope
- Background
- General Principles
- Using SPDF to Manage Cybersecurity Risks (SPDF = Secure Product Development Framework)
- Cybersecurity Transparency
- Appendix 1: Security Control Categories and Associated Recommendations
- Appendix 2: Submission Documentation for Security Architecture Flows
- Appendix 3: Submission Documentation for Investigational Device Exemptions
- Appendix 4: Terminology
To whom does this Guidance apply?
This guidance applies to devices containing software (including firmware) or programmable logic, and to software as a medical device. The guidance is not limited to devices that are networkable or contain other networked functions. See "Scope" for further explanation.