FDA Guidance for Industry
Content of Premarket Submissions for Management of Cybersecurity in Medical Devices
Document Issued on: October 2, 2014
The draft of this document was issued on June 14, 2013.
The need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network- connected devices, and the frequent electronic exchange of medical device-related health information. This guidance has been developed by the FDA to assist industry by identifying issues related to cybersecurity that manufacturers should consider in the design and development of their medical devices as well as in preparing premarket submissions for those devices.
The recommendations contained in this guidance document are intended to supplement FDA’s “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices” (http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/u cm089543.htm) and “Guidance to Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software” (http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/u cm077812.htm).
This guidance provides recommendations to consider and information to include in FDA medical device premarket submissions for effective cybersecurity management. Effective cybersecurity management is intended to reduce the risk to patients by decreasing the likelihood that device functionality is intentionally or unintentionally compromised by inadequate cybersecurity.
This guidance document is applicable to the following premarket submissions for devices that contain software (including firmware) or programmable logic as well as software that is a medical device:
- Premarket Notification (510(k)) including Traditional, Special, and Abbreviated
- De novo submissions
- Premarket Approval Applications (PMA)
- Product Development Protocols (PDP)
- Humanitarian Device Exemption (HDE) submissions.