New FDA Draft Guidance "Cybersecurity in Medical Devices"
Recommendation
29-31 October 2024
Register now for ECA's GMP Newsletter
On 8 April 2022, the FDA (Center for Devices and Radiological Health - CDRH in collaboration with the Center for Biologics Evaluation and Research - CBER) published a "Draft Guidance for Industry and Food and Drug Administration Staff - Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions". The draft is open for comment during 90 days at the "Dockets Management Staff, Food and Drug Admininstration".
Once finalised, the draft will replace the previous Guidance "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" of 2 October 2014.
Structure of the Guidance
The very comprehensive document is divided into 6 chapters and 4 appendices:
- Introduction
- Scope
- Background
- General Principles
- Using SPDF to Manage Cybersecurity Risks (SPDF = Secure Product Development Framework)
- Cybersecurity Transparency
- Appendix 1: Security Control Categories and Associated Recommendations
- Appendix 2: Submission Documentation for Security Architecture Flows
- Appendix 3: Submission Documentation for Investigational Device Exemptions
- Appendix 4: Terminology
To whom does this Guidance apply?
This guidance applies to devices containing software (including firmware) or programmable logic, and to software as a medical device. The guidance is not limited to devices that are networkable or contain other networked functions. See "Scope" for further explanation.
Why a new Guidance?
The Guidance published in 2014 was supplemented in 2016 by the Guidance "Postmarket Management of Cybersecurity in Medical Devices". From the FDA's point of view, the rapidly changing landscape with increased threat scenarios, but also the growing understanding of these threats and the recognition of the need for appropriate defence measures throughout the product life cycle, necessitated the revision of this guidance. Even before market launch, cybersecurity risks should be sufficiently considered on the part of manufacturers and security measures should be integrated into the development.Source:
Related GMP News
14.02.2024Cloud Computing: Workaround for non-compliant PaaS
07.02.2024Cloud Computing: Validation performed by a CSP on its own - what is the Value?
24.01.2024Cloud Computing: Can an automated Deployment Chain replace an IQ?
17.01.2024Cloud Computing: Consequences of different service models for Qualification / Validation
10.01.2024Cloud Computing: Validation of SaaS; who is accountable?
13.12.2023Cloud Computing: Assessment of Cloud Suppliers from an authority's point of view