Findings
Medical devices using OTS software are vulnerable to cybersecurity threats, which can compromise safety and effectiveness.
FDA emphasizes that most software patches can be applied without prior approval unless they alter the device’s intended use or compromise safety and effectiveness.
Manufacturers must validate software changes to ensure they meet user needs and function as intended, following Quality System regulation.
Healthcare organizations rarely possess sufficient technical resources to independently manage medical device software, relying on manufacturers for updates and guidance.
Collaboration between healthcare organizations and manufacturers is critical for developing and implementing cybersecurity plans.

Recommendations
Manufacturers should monitor sources of quality data to identify vulnerabilities and implement corrective actions to maintain device safety and effectiveness.
Validate all software patches and changes, documenting that they meet user needs and functional requirements.
Develop and follow plans for managing software changes, including timelines, testing protocols, and communication strategies.
Healthcare organizations should collaborate with manufacturers to implement cybersecurity measures and address vulnerabilities.
Avoid applying third-party software patches to medical devices without guidance from the device manufacturer.

Regulatory Considerations
Manufacturers must comply with FDA’s Quality System regulation, ensuring that software patches and changes are validated and documented.
FDA approval is required for software changes that alter the device’s intended use or significantly affect its safety and effectiveness.
Healthcare organizations should not independently apply software patches but rely on manufacturer guidance to ensure compliance with FDA regulations.
Manufacturers should maintain a plan for managing cybersecurity vulnerabilities, including monitoring for threats and updating devices as needed.