FDA proposes updated guidance for medical device cybersecurity protection

A new proposal released Oct. 18 by the FDA to strengthen cybersecurity protection for medical devices, including medical imaging equipment, will supersede a guidance originally issued in 2014.  

The new guidance is intended to provide recommendations to the medical device industry regarding cybersecurity device design, labeling and that FDA recommended documentation be included in pre-market submissions for devices vulnerable to cybersecurity threats.   

When finalized, the guidance will replace the FDA’s final guidance “Content of Premarket Submission for Management of Cybersecurity in Medical Devices” issued on Oct. 2, 2014.  

The guidance may also be applied to the following pre-market submissions for devices containing software (including firmware), programmable logic and software devices:  

  • Pre-market Notification (510(k)) submissions including Traditional, Special and Abbreviated
  • De Novo requests
  • Pre-market Approval Applications (PMAs)
  • Product Development Protocols (PDPs)
  • Humanitarian Device Exemption (HDE) applications.  

“FDA recognizes that medical device security is a shared responsibility among stakeholders, including health care facilities, patients, health care providers, and manufacturers of medical devices,” the guidance states. “Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) authenticity, availability or integrity, or exposure of other connected devices or networks to security threats.”  

The FDA will take submitted comments and suggestions regarding the guidance starting Oct. 18.