Meet with Katrina

Katrina’s Blog™

News and Commentary

on the science and technology of drugs and medical devices, including discovery, development, manufacturing, and regulation.

Draft Guidance on Managing Cybersecurity in Medical Devices

November 1, 2018
| Uncategorized

Now Open for Comment

This month the FDA released a draft guidance on managing cybersecurity in Medical Devices (“Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”; download the draft here). The guidance will available for public comment under Docket FDA-2018-D-3443 starting on October 18, 2018 until March 18, 2019. When finalized, this draft will replace the original version of the guidance issued in October 2014 (find it here). The purpose of the update is to address the expanded range of possible avenues of threat and the increase in frequency, severity and impact of actual incidents. Changes include additional definitions and revision of the text to emphasize the manufacturer’s responsibilities for evaluating and maintaining cybersecurity for their devices. Important recommendations in the draft include:

  • A tiered system for classifying devices for their cybersecurity risk, 
  • Guidance for application of the NIST cybersecurity framework,
  • Recommendations for preventing unauthorized use of the device through its software, ensuring trusted content through code maintenance, and maintaining data confidentiality,
  • Approaches to device design that enable detection of, response to, and recovery from cybersecurity events, and
  • Enhancements to documentation, including a Cybersecurity Bill of Materials (CBOM), which supports compliance with purchasing controls for conformance of items with specified cybersecurity requirements. The agency feels the CBOM could become a critical element in identifying cybersecurity assets, threats, and vulnerabilities in the future.

There is a public workshop on the draft guidance planned for January 29-30, 2019. Interested parties may register to attend the meeting in person or join the webcast version. This new draft includes significant new material and is an important part of the agency’s increased emphasis on cybersecurity. Anyone using software as part of their medical device should review the document and provide thoughtful comment.

Text Copyright © 2018 Katrina Rogers

Categories

Latest Posts

Join me on Substack

Mar 26, 2025 |

This graphic is from my March 2025 roundup Substack post I'm excited to invite you to join me on Substack, where I'm building a dynamic community of leaders, innovators, and changemakers. This platform will allow me to create a more interactive space where we can go...

Make or Buy? Outsourcing as a Strategic Choice

Feb 25, 2025 |

Founders in the life sciences inevitably reach a point where they must consider how to execute a complex product development phase. This could occur early or later in the development process, and each choice can affect the timing and requirements for later stages....

Four Points of Startup Readiness

Feb 11, 2025 | ,

I speak with many startup founders every week. Most work in drugs, medical devices, diagnostic tests, or digital health tools. Because I live in the Northwest US and I’m a faculty member for Washington State University, I also speak with quite a few developing...