GxP Lifeline
Medical Device Trends: Medical Device Cybersecurity Guidance
Connectivity offers many potential benefits to medical devices. Unfortunately, that connectivity also presents risks. A device being hacked potentially creates a life-threatening situation for a patient. Understandably, that makes it a big deal for the U.S. Food and Drug Administration (FDA) and other regulators around the globe. The FDA’s most recent guidance document, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” builds upon former ones and offers suggestions on how to improve medical device cybersecurity.
This isn’t a medical device industry trend that’s going to disappear anytime soon, but it’s not the only trend worth keeping an eye on. To read more about the quality trends in this industry, download the trend brief.
FDA Cybersecurity
For the FDA, cybersecurity falls into the category of quality. This makes sense given the safety of a device can be compromised with poor cybersecurity. According to the guidance document, “Security risk management should be part of a manufacturer’s quality system.” The guidance ties cybersecurity directly to the requirements in the Quality System Regulation (QSR).
The FDA cybersecurity guidance document recommends using a secure product development framework (SPDF), though the agency is quick to point out that medical device manufacturers shouldn’t discontinue processes that are effective just because they aren’t mentioned in the guidance document. It also has a long list of documentation that FDA would want to see from manufacturers.
Medical Device Cybersecurity Guidance
This isn’t a brand-new topic. The FDA’s medical device cybersecurity guidance is one of a long line of regulatory guidance documents meant to help medical device companies improve cybersecurity practices. In 2021, Australia’s Therapeutic Goods Administration (TGA) released its “Medical Device Cybersecurity Guidance for Industry,” and in 2020, the International Medical Device Regulators Forum (IMDRF) released its “Principles and Practices for Medical Device Cybersecurity.” We can expect to hear more from regulators as this medical device industry trend continues.
Not surprisingly, there are some similarities among these documents. For example, the FDA, TGA, and IMDRF all recommend a total product life cycle (TPLC) approach. They also similarly endorse a software bill of materials (SBOM) but the IMDRF has a separate guidance document focused solely on SBOM, “Principles and Practices for Software Bill of Materials for Medical Device Cybersecurity.” The commonalities aren’t unexpected considering another quality trend is harmonization efforts among regulators.
Conclusion
Connected devices can offer enormous benefits to patients, but any connected device presents a risk as well. Considering the rapid pace of technology development, FDA cybersecurity guidance documents will probably be released and updated on a more frequent basis. Quality managers don’t necessarily have to become cybersecurity experts, but they do need to familiarize themselves with regulators’ expectations.
To read up on other medical device industry trends, download our trend brief.
Sarah Beale is a content marketing specialist at MasterControl in Salt Lake City, where she writes white papers, web pages, and is a frequent contributor to the company’s blog, GxP Lifeline. Beale has been writing about the life sciences and health care for over five years. Prior to joining MasterControl she worked for a nutraceutical company in Salt Lake City and before that she worked for a third-party health care administrator in Chicago. She has a bachelor’s degree in English from Brigham Young University and a master’s degree in business administration from DeVry University.
