Overview of the New FDA Guidance on Cybersecurity

The U.S. Food and Drug Administration (FDA) has published new guidance on integrating cybersecurity into the quality system management and premarket submission process for medical devices. It covers risk management, design controls, software validation, and other elements to ensure the safety, effectiveness, and security of medical devices in the face of potential cyber threats.

The goal of the document is to impart on device manufacturers the need to consider cybersecurity in all aspects of device software, including design, development, testing, monitoring, and maintenance. A key concept of the document is planning for the “Total Product Life Cycle”. The FDA has pulled in many aspects of cybersecurity that would normally be left to HIPAA and device customers. It is now incumbent on device manufacturers to integrate secure software practices from the beginning of the development phase, and show through documentation how they will continue to ensure the device remains secure.

Starfish Medical, a medical device design service provider based in Victoria and one of UVic's co-op employers, has published an article on this issue.