Final 2023 FDA Premarket Cybersecurity guidance released
By Mitch on Friday, 6 October 2023, 14:09 - Regulations - Permalink
The final version of the FDA guidance titled "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions was published the 27th September 2023.
The draft had been issued in 2022, and had been subject to a review in this article.
Amongst a long list of minor changes, the final version contains the following majors changes in the body text:
- IEC 81001-5-1 is know referenced as a possible Secure Product Development Framework, this is good news for manufacturers selling their devices in EU and the USA,
- AAMI TIR57 is recommended to document the security risk management activities for a medical device system. It's worth noting that AAMI SW96 isn't mentioned (yet),
- The above bullet is found in a new section V.A.2. Cybersecurity Risk Assessment. Its content is broadly aligned with AAMI SW96,
- A new section V.A.3 on Interoperability considerations. In short, security controls are required when exchanging information with other software or devices (MD or non-MD),
- Manufacturers should provide SBOM in machine readable format, something which is going to be made systematic for all software in the US in the coming years,
And the last major change is the Appendix 4 General Premarket Submission Documentation Elements and Scaling with Risk.
It summarizes in table 1 the documentation expected by the FDA in premarket submissions. The documentation should scale with the cyber risks of your devices.
Of course, we find the usual guidance warning: This table is not intended to serve as merely a deliverable checklist.
But, gosh, yes, you are going to use it as a checklist. I am going to use it as a checklist. FDA reviewers are going to use it as a checklist!
All in all, the message delivered by the FDA in this final guidance doesn’t change, compared to the draft version. Cybersecurity shall be taken seriously.
Prepare your security risk management files, your secure SDLC documents and your cyber PMS!
Comments
Hi Mitch, great post as always!
What's your take on the the latest Recognized Consensus Standards from the FDA in regards to the Premarket Cybersecurity guidance?
It looks like AAMI SW96:2023 is now in the recognized consensus table, as well as IEC 29119-1:2022 and AAMI 2700-2-1:2022.
Would this change your view on applying IEC 81001-5-1 for SDLC (as well as security risk management) to a medical device development process?
Thanks and keep up with the great blog!
J.
Thanks for your feedback!
IEC 81001-5-1 is now the reference for cybersecurity in MD. But it is a bit short for the implementation on a cybersecurity risk management process.
My recommendation is to use IEC 81001-5-1 together with AAMI SW96:2023, if you want to have a topnotch cybersecurity risk management process. Otherwise, you can use AAMI TIR57 as s good source of info to implement a cybersecurity risk management process.
IEC 29119-1:2022 can be applied to have better infos on sw testing (compared to IEC 62304). And AAMI 2700-2-1:2022 can be applied to have better infos on interoperability. It's worth noting there's an interoperability section in the FDA eSTAR submission template.