Background
In June 2013, FDA issued the brief draft guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” finalized in 2014. In 2018, FDA proposed substantial updates to the 2013-14 guidance, and issued a draft guidance of the same name, which we summarized online here. Meanwhile, the final guidance “Postmarket Management of Cybersecurity in Medical Devices” (“Postmarket Cybersecurity Guidance”) issued in 2016 was complementary to the 2018 premarket guidance, and remains in effect.
The 2022 draft guidance analyzed herein replaces the 2018 draft version, and adds significant discussion intended to further emphasize the importance of ensuring that devices are designed securely, enabling emerging cybersecurity risks to be mitigated throughout the device’s Total Product Lifecycle (TPLC). Additionally, throughout the document, the agency reiterates that the risk management work per ISO 14971 may reach a different and contrary conclusion to the cybersecurity risk assessment of vulnerabilities and while these two types of activities are inherently related, they should be dealt with as distinct. The updated draft guidance also…
