To allow a more efficient pre-market review process and more effective protection of marketed medical devices against cybersecurity vulnerabilities, FDA issued on October 18 the draft of the latest edition of the “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Draft Guidance for Industry and Food and Drug Administration Staff”.
The 2018 edition brings the following additions:
- new and/or updated definitions of key terms;
- a two-tier cybersecurity risk assessment approach for medical devices:
- Tier 1 (higher risk) includes devices that can connect to another medical or non-medical product, a network or the Internet and/or which may cause direct damage to the patient;
- Tier 2 (standard risk) includes the remaining devices;
- the concept of “trustworthy device”, meaning a medical device containing hardware, software, and/or programmable logic that is reasonably effective and secure in terms of cybersecurity;
- recommendations for the labeling of medical devices with cybersecurity risks.
The new version of the guideline aims to place greater emphasis on controls during the design and development of medical devices subject to cybersecurity risks, before being placed on the market. Once finalized, it will replace the previous version issued on October 2014.