FDA Draft Guidance on Cybersecurity in Medical Devices

Introduction

The FDA released a draft guidance titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff” on April 8, 2022. This guidance addresses premarket considerations for cybersecurity in medical devices.

Background: Evolution of FDA’s Approach to Cybersecurity

The FDA’s release of a premarket cybersecurity draft guidance is not a new initiative. In fact, a draft guidance called “Cybersecurity in Medical Devices: Premarket Guidance for Industry” was published in 2018. However, rather than finalizing that 2018 draft guidance, the FDA chose to develop and release an entirely new draft guidance. This decision reflects the rapid evolution of the medical device industry and significant changes in the cybersecurity threat landscape.

Shift from the Previous Framework to the New Approach

The 2018 draft guidance primarily focused on providing a framework for considering cybersecurity during product development. In contrast, the 2022 draft guidance takes a different approach by addressing cybersecurity within the context of the Quality System Regulation (QSR). The guidance directs manufacturers to consider implementing the Secure Product Development Framework (SPDF) to meet QSR requirements. This approach positions cybersecurity not merely as a development-stage consideration, but rather as an essential element integrated throughout the entire medical device quality system.

Introduction of SBOM Requirements

A particularly significant requirement introduced in the 2022 draft guidance is the creation and submission of a Software Bill of Materials (SBOM). Manufacturers are now expected to prepare an SBOM and submit it to the FDA as part of their premarket submissions. The SBOM is a comprehensive document that details all software components used in the medical device, including third-party libraries and open-source software, along with version information and other relevant details. This documentation enables the FDA to effectively assess known vulnerabilities and the management of software dependencies.

FDA’s Pre-Approval Review Practices

It is important to note that the FDA has already been addressing cybersecurity concerns during the approval review process. In previous submissions, the agency has questioned manufacturers about and carefully reviewed cybersecurity measures for medical devices that have the capability to access external storage media such as network ports and SD cards. The fact that such cybersecurity inquiries and comments have been issued during the premarket phase indicates that the FDA’s regulatory approach to cybersecurity was already well-established prior to the publication of formal guidance. The issuance of this documented guidance represents both a clarification of regulatory requirements for the entire medical device industry and a response to the urgent need to address the rapidly evolving and increasingly sophisticated cybersecurity threats that medical devices face today.

Global Expansion of Medical Device Cybersecurity Regulation

International medical devices cannot rely on cybersecurity measures implemented within a single country alone. As regulatory authorities worldwide increasingly focus on medical device cybersecurity, a globally harmonized and consistent approach is becoming essential. It is anticipated that Japan and other countries will implement cybersecurity standards comparable to those of the FDA in the coming years.

Cybersecurity Framework in Japan

In Japan, the Ministry of Health, Labour and Welfare issued “Guidance on Implementation of Cybersecurity for Medical Devices” (医療機器のサイバーセキュリティ導入に関する手引書) on December 24, 2021. This guidance was developed based on “Principles and Practices for Medical Device Cybersecurity” published by the International Medical Device Regulators Forum (IMDRF) on March 18, 2020. The Japanese guidance addresses necessary development objectives and technical requirements related to medical device cybersecurity.

Future Regulatory Framework in Japan

The Japanese regulatory authorities had planned to amend the Basic Requirements Standard for medical devices (as stipulated in Article 41, Paragraph 3 of the Pharmaceutical Affairs Law) by around 2023. Since then, from 2024 through 2025, Japan’s regulatory requirements for medical device cybersecurity have become increasingly concrete and comprehensive. Going forward, a system will be established to confirm cybersecurity compliance in the approval and authorization processes for medical devices.

Expectations for the Industry and Future Considerations

Medical device manufacturers now face an urgent need to document cybersecurity-related procedures, policies, and implementation methods. In particular, it is critical for manufacturers to understand the requirements of regulatory authorities including the FDA, EU, and Japan, and to prepare internationally harmonized responses. To prepare for the anticipated strengthening of cybersecurity regulations, companies should enhance collaboration among relevant departments such as quality assurance, software development, and security. Furthermore, cybersecurity must be recognized and positioned as an integral component of the overall quality system. This integrated approach will be essential for medical device companies to successfully navigate an increasingly complex and demanding cybersecurity regulatory landscape.