FDA Releases Draft Medical Device Cybersecurity Guidelines

The U.S. Food and Drug Administration released draft guidelines for the cybersecurity of medical devices last week.

The draft guidance, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” aims to highlight the importance of protecting medical devices throughout a product’s lifecycle.

The guidelines would replace those issued by the agency in 2018.

“These recommendations can facilitate an effective premarket review process and help ensure that medical devices in the market are sufficiently resilient to cybersecurity threats,” the FDA said in the statement. Federal Register opinion on advice.


Cybersecurity, particularly in relation to medical devices, has taken on increased importance as more and more patients benefit from connected care.

“Increased connectivity has allowed individual devices to function as single elements of larger medical device systems,” the FDA noted in its draft guidance. “These systems may include healthcare facility networks, other devices, and software update servers, among other interconnected components.

“Therefore, without adequate cybersecurity considerations in all aspects of these systems, a cybersecurity threat can compromise the security and/or effectiveness of a device by compromising the functionality of any system asset,” the guidance continues.

The general principles set out in the draft guidelines include a recognition that cybersecurity is part of device safety and the Quality System Regulations, the FDA’s plan for evaluating the safety adequacy of a device by based on the purposes listed and the importance of transparency for device users.

“Manufacturers should consider the larger system in which the device may be used,” the agency said, pointing to the difference in risk profile between an unconnected thermometer and one used in a safety-critical control loop. .

“Cybersecurity risks change over time and therefore the effectiveness of cybersecurity controls may deteriorate as new risks, threats and methods of attack emerge,” the guidelines state. “Because cybersecurity is part of device safety and efficiency, cybersecurity controls must take into account the intended and actual environment of use.”

The guidance also included labeling suggestions for devices with cybersecurity risks, including step-by-step diagrams and descriptions of backup and restore procedures.

“Instructions for managing cybersecurity risks should be understandable to the intended audience, which may include patients or caregivers with limited technical knowledge,” the agency said.

The FDA requests that comments be submitted in electronic or written form by July 7, 2022.


The agency’s draft guidelines are the latest of several publications concerning the health informatics and medical technology industry over the past few years.

Last October, it published “guiding principles” for the development of devices based on artificial intelligence and machine learning, followed by draft guidelines on software functions.

Just this week, UCLA Biodesign executive director Dr. Jennifer McCaney said Health Informatics News that the majority of executives in a recent survey believe the FDA has responded more effectively to the changing needs of medical innovation compared to its global counterparts.

“Examples of specific instruments the FDA has implemented to promote innovation include the introduction of breakthrough device designation to accelerate patient access to technologies that address significant unmet needs, the creation of the De Novo grant, the provision of regulatory guidance for software, and the establishment of the FDA’s Digital Health Center of Excellence,” McCaney said.

Meanwhile, legislation was introduced earlier this month that would impose a series of cybersecurity requirements on manufacturers seeking premarket approval through the FDA, among other provisions.


“With the increasing integration of wireless, Internet and network connected capabilities, portable media…and the frequent electronic exchange of health information related to medical devices, the need for robust cybersecurity controls to ensure security and the effectiveness of medical devices has become more important,” the FDA said in the draft guidance.

“In addition, cybersecurity threats to the healthcare sector have become more frequent and severe, with increased potential for clinical impact,” he continued.

Kat Jercich is editor of Healthcare IT News.
Twitter: @kjercich
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.

Comments are closed.