1. You are here:
  2. Homepage
  3. News & Insights Search
  4. FDA proposes updates to device cybersecurity guidance

rf-fullcolor.png

 

Regulatory News
March 13, 2024
by Jeff Craven

FDA proposes updates to device cybersecurity guidance

The US Food and Drug Administration (FDA) has released a draft guidance that proposes updating the agency’s final guidance on cybersecurity of medical devices. The update would add additional information to the final guidance about the types of devices that fall under section 524B(c) of the Food, Drug, and Cosmetic Act (FD&C Act) as well as who is required to comply with ensuring the cybersecurity of medical devices.
 
“This draft guidance, when finalized, will identify the information FDA generally considers to be necessary to support obligations under section 524B of the FD&C Act,” FDA wrote in a Federal Register notice.
 
The agency noted that it is required for a person to submit information that demonstrates a medical device meets cybersecurity requirements if it meets the definition of a cyber device if the person submits a 510(k), premarket approval application (PMA), product development protocol (PDP), De Novo, or humanitarian device exemption (HDE) for the device. According to section 524B(c), a cyber device connects to the internet through any means, is vulnerable to cybersecurity threats, and contains software that has been validated, installed, or authorized by a sponsor either as a device or in a device.
 
The documentation requirements under section 524B include processes and procedures that “provide a reasonable assurance that the device and related systems are cybersecure.” These include documentation of a plan to proactively identify and handle cybersecurity vulnerabilities and exploits, a plan and appropriate timeline for how to release updates and patches for vulnerabilities for all affected devices and maintain the documentation with an eye towards new risks and vulnerabilities across the total product lifecycle. Another requirement of section 524B is the creation of a software bill of materials regardless of whether the device has components from commercial, open source, or off-the-shelf sources.
 
In terms of modifications to the device, FDA said they “recommend that manufacturers of cyber devices provide will generally differ based on the type of change and whether such change impacts the cybersecurity of the device. Manufacturers should consider whether a change would or would not impact cybersecurity and act according to the device’s documentation requirements as outlined in the guidance. Examples of what might impact cybersecurity could be a change to an algorithm that relates to authentication or encryption, new connectivity features, or software updates, whereas material changes, changes to sterilization method, or algorithm changes that don’t impact a device’s architecture, software structure, and connectivity are not likely to affect cybersecurity.
 
If a change is unlikely to affect cybersecurity, manufacturers may submit summary information in place of the documentation requirements if there is a “reasonable assurance that the device and related systems are cybersecure.”
 
“In general, in its cybersecurity review, FDA intends to focus substantive review on modifications to cybersecurity controls or modifications that are likely to affect cybersecurity,” they said. “However, regardless of the type of change being proposed to the device in the premarket submission, FDA intends to take into account known cybersecurity concerns that are applicable to such device when conducting its premarket reviews and in determining whether the device has a reasonable assurance of cybersecurity.”
 
For 510(k) submissions, FDA looks at change in the device’s environment, changes to technological characteristics of a predicate device that would introduce new risks or vulnerabilities, and the device design and testing operate with new risks or vulnerabilities.
 
FDA said the deadline for public comments on the draft guidance is 13 May 2024, after which it will consider the comments and incorporate the draft guidance into the final guidance document.
 
Guidance

Related topics

Digital health/SaMD/AI Medical Devices Product Lifecycle United States
Return to listing

Recommended content

Regulatory Affairs Professionals Society (RAPS)
5635 Fishers Lane, Suite 400
Rockville, Maryland 20852

Telephone: +1 301 770 2920
Fax: +1 301 841 7956

Email:  [email protected]

Design & Development by Pixl8
Membership software by ReadyMembership

Regulatory Affairs Professionals Society (RAPS)

© 2026 Regulatory Affairs Professionals Society

×

Welcome to the new RAPS Digital Experience

We have completed our migration to a new platform and are pleased to introduce the updated site.

What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.

We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.

We welcome your feedback. Please let us know how we can continue to improve your experience.