Skip to main content

Author: Emerance Gummels, Principal Software and Regulatory Consultant

Cybersecurity for medical devices is crucial to protect patient data and device functionality. Recent updates to the Federal Food, Drug, and Cosmetic Act (FD&C Act) emphasize the importance of securing these devices.

Understanding Cyber Devices Under the FD&C Act

Section 524B of the FD&C Act defines a ‘cyber device’ as one that:

  • Includes software considered part of the device.
  • Has internet connectivity.
  • Contains technological features susceptible to cyber threats.
Regulatory Requirements

As of March 2023, submissions for a 510(k), PMA, PDP, De Novo, or HDE for a cyber device must include information ensuring compliance with the Act’s cybersecurity requirements.

Key Takeaways for Effective Cybersecurity
  1. Be Proactive: The ideal time to start planning for cybersecurity in medical device software is from the very beginning of the development process. Building security into the system from the start avoids the need for expensive and time-consuming rework later.
  2. Follow FDA Guidelines: The FDA provides cybersecurity recommendations for medical device software development. Best practice is to align submission documentation with FDA guidance documents and establish compliance with recognized standards on cybersecurity (e.g., IEC 81001-6-1:2021, AAMI TIR57:2016).
  3. Supplier Selection: Carefully select your third-party providers of services and components used in the cyber device, including commercial, open-source, and off-the-shelf software. Choose suppliers with a long-term perspective, commitment to ongoing support, updates, and patches, and establish open communication channels.

Think of cybersecurity as a core feature of your medical device software, not an afterthought. This proactive approach safeguards patient data, device functionality, and ultimately, patient safety.

Ready to enhance the cybersecurity of your medical devices? Schedule a discovery call with us today to ensure your devices meet all regulatory requirements and industry best practices.