Postmarket Management of Cybersecurity in Medical Devices

Findings
Cybersecurity risk management is a shared responsibility involving manufacturers, healthcare organizations, and IT vendors.
Proactive measures, such as threat modeling and vulnerability scanning, are critical to mitigating risks throughout the device lifecycle.
Cybersecurity routine updates and patches are generally considered enhancements and are not subject to 21 CFR Part 806 reporting unless risks are uncontrolled.
Participation in ISAOs is encouraged to foster collaboration and timely sharing of vulnerability and threat information.
Effective remediation plans must address vulnerabilities promptly, with appropriate reporting and user communication.

Recommendations
Monitor cybersecurity signals from diverse sources, including ISAOs, CERTs, and internal investigations, to identify and assess vulnerabilities.
Establish a robust risk management program incorporating the NIST Cybersecurity Framework to address risks from design to obsolescence.
Use tools like the Common Vulnerability Scoring System (CVSS) for assessing exploitability and prioritizing remediation efforts.
Communicate vulnerability and mitigation strategies clearly to users, ensuring they understand risks and appropriate controls.
Report uncontrolled vulnerabilities to FDA under 21 CFR Part 806, unless certain conditions are met (e.g., timely remediation, participation in ISAOs).

Regulatory Considerations
Cybersecurity routine updates addressing controlled risks are not typically subject to FDA reporting requirements under 21 CFR Part 806.
Uncontrolled risks must be remediated promptly, with detailed reporting to FDA, unless alternative measures like ISAO participation and mitigation plans are in place.
Class III devices with periodic reporting requirements must include cybersecurity-related updates and vulnerabilities in annual PMA reports.
Manufacturers must document their risk assessments, remediation plans, and user communications to demonstrate compliance with 21 CFR Part 820.
Threat detection and forensic capabilities should be built into device designs to support postmarket monitoring and risk mitigation.

1. Why digital?

2. Your core strategy

3. Engage regulators

4. Your validation strategy

5. Operationalize your tech

6. Refine your strategy