The update incorporates new statutory requirements and outlines the FDA’s recommendations for cybersecurity information in device submissions.
The US Food and Drug Administration (FDA) has finalized a guidance document to assist medical device sponsors in addressing cybersecurity considerations as part of the premarket review process.
The guidance—Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions—was announced in the Federal Register on June 27 and updates a previous version issued in 2023. It also finalizes draft guidance released in March 2024. The document provides FDA’s recommendations regarding cybersecurity design, labeling, and documentation that may be included in submissions for devices that present cybersecurity risk.
This update incorporates statutory changes from the Food and Drug Omnibus Reform Act of 2022, which added Section 524B to the Federal Food, Drug, and Cosmetic Act. That section requires sponsors of certain “cyber devices” to include specific cybersecurity information in submissions such as 510(k)s, PMAs, De Novos, PDPs, and HDEs. Devices that fall within this definition generally contain software, connect to the internet, and include technological features that could be vulnerable to cybersecurity threats.
The guidance also outlines general principles for secure product development and discusses topics such as threat modeling, software bills of materials, cybersecurity testing, and risk management throughout the device lifecycle.
While the guidance is not legally enforceable, it reflects the FDA’s current thinking and is intended to support compliance with applicable quality system regulations and statutory Stakeholders may submit comments or suggestions to Docket No. FDA-2021-D-1158 via Regulations.gov.
ID 383121206 | Patient © Ahmadrizal7373 | Dreamstime.com
