FDA releases medical device cybersecurity draft guidance

The US Food and Drug Administration published a draft guidance this past week with regard to medical device cybersecurity.

The draft guidance, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” seeks to emphasize the importance of safeguarding medical devices throughout a product’s life cycle.

The guidance would replace one issued by the agency in 2018.

“These recommendations can facilitate an efficient premarket review process and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats,” said FDA in the Federal Register Notice about the guidance.


Cybersecurity, particularly where medical devices are concerned, has taken on increased significance as more patients benefit from connected care.

“Increased connectivity has resulted in individual devices operating as single elements of larger medical device systems,” noted the FDA in its draft guidance. “These systems can include healthcare facility networks, other devices and software update servers, among other interconnected components.

“Consequently, without adequate cybersecurity considerations across all aspects of these systems, a cybersecurity threat can compromise the safety and/or effectiveness of a device by compromising the functionality of any asset in the system,” the guidance continued.

The general principles put forth in the draft guidance comprise an acknowledgment that cybersecurity is part of device safety and the Quality System Regulations; the FDA’s plan for assessing the adequacy of a device’s security based on listed objectives; and the importance of transparency for device users.

“Manufacturers should take into account the larger system in which the device may be used,” said the agency, flagging the difference in risk profile between a non-connected thermometer and one used in a safety-critical control loop.

“Cybersecurity risks evolve over time and as a result, the effectiveness of cybersecurity controls may degrade as new risks, threats and attack methods emerge,” said the guidance. “As cybersecurity is part of device safety and effectiveness, cybersecurity controls should take into consideration the intended and actual use environment.”

The guidance also included labeling suggestions for devices with cybersecurity risks, including detailed diagrams and descriptions of backup-and-restore procedures.

“Instructions to manage cybersecurity risks should be understandable to the intended audience, which might include patients or caregivers with limited technical knowledge,” said the agency.

The FDA is requesting for comments to be submitted either in electronic or written form by July 7, 2022.


The agency’s draft guidance is the latest of several publications regarding the health IT and medtech industry over the past few years.

This past October, it released “guiding principles” for the development of devices relying on artificial intelligence and machine learning, followed by draft guidance on software functions.

Just this week, UCLA Biodesign executive director Dr. Jennifer McCaney told Healthcare IT News that the majority of executives in a recent study believe the FDA has responded more effectively to the evolving needs of medical innovation when compared to its global counterparts.

“Examples of specific instruments that the FDA has implemented to promote innovation include the introduction of the breakthrough device designation to accelerate patient access to technologies that address significant unmet needs, the creation of the De Novo granting, the provision of regulatory guidance for software, and the establishment of the FDA’s Digital Health Center of Excellence,” said McCaney.

Meanwhile, legislation was introduced earlier this month that would impose a series of cybersecurity requirements for manufacturers applying for premarket approval through the FDA, among other provisions.


“With the increasing integration of wireless, Internet and network- connected capabilities, portable media … and the frequent electronic exchange of medical device related health information, the need for robust cybersecurity controls to ensure medical device safety and effectiveness has become more important,” said the FDA in the draft guidance.

“In addition, cybersecurity threats to the healthcare sector have become more frequent and more severe, carrying increased potential for clinical impact,” it continued.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Leave a Comment