On September 27, 2023, FDA finalized its guidance entitled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” (the “2023 Final Guidance”).1 The Final Guidance replaces guidance issued in 2014 (and the draft guidance issued in April 2022, the “2022 Draft Guidance”) and outlines three primary changes to the Agency’s current thinking, as compared to the 2014 Guidance:
- Introduction of the “Secure Product Development Framework,” implemented through comprehensive risk management, security architecture, and cybersecurity-specific testing;
- Recommendations for implementation of cybersecurity transparency, including modified cybersecurity-specific labeling, and a vulnerability management plan; and
- An appendix providing cybersecurity documentation requirements for Investigational Device Exemption (IDE) submissions.
The 2023 Final Guidance is largely consistent with the 2022 Draft Guidance, but there are differences that may require additional or altered approaches; these differences are the focus of this Client Alert. Please see our Client Alert on the 2022 Draft Guidance for a detailed overview of FDA’s current thinking on…
