Cybersecurity has been of increasing concern over the last 10 years as more and more medical devices have been connected to networks or directly to the internet itself. The FDA has taken the lead from a regulatory perspective and has issued guidance on both pre-market submissions (the '510(k) process') and post-market actions. It has recently updated its advice on the former, and this is currently available in draft form.

 

The new guidance is intended to be used as a supplement to two previous guidance documents issued in 2005; one on the pre-market approval of software medical devices and one on cybersecurity of networked devices.

 

From the FDA's worklist for 2019, it appears that the software-specific guidance will be updated, and there will also be new guidance on the 'content of pre-market submissions for cybersecurity of medical devices of moderate and major level of concern' (see Note below)

 

Under US law, taking measures to ensure adequate cybersecurity of medical devices is not optional. Medical device manufacturers must comply with relevant federal regulations, and one of those regulations (the quality system regulations, QSRs) requires that medical device manufacturers address all risks, including cybersecurity risk. The pre- and post-market cybersecurity guidance documents referred to above provide recommendations for meeting the QSRs.​

​

 

Mobile apps that require an internet connection to work.. 

 

more to be added on this...  

​

​

A note on the FDA's levels of concern (LoC)

​

The FDA requires the manufacturer to assign a 'level of concern' (minor, moderate, major) for software contained in medical devices, which roughly approximates to the (A,B,C) software safety classification described in IEC 62304:2006. Both systems are based on the severity of potential harm only, and take no account of likelihood. The IEC system was updated in 2015 (device classification now depends on the severity of harm and probability of occurrence) but the 2005 FDA system is yet to be amended. The level of concern is used to determine the type and amount of documentation to be included in a pre-market submission; it does not relate to device classification per se.

​

 

The state-of-the-art regarding cybersecurity for health software is now represented by IEC 81001-5-1:2021 (Health software and health IT systems safety, effectiveness and security — Part 5-1: Security — Activities in the product life cycle). For more information click here.

​

​

 

​

​

​

​

​

​

​

​

​

​

This page last updated: 04 May 2023