FDA Draft Guidance for Cybersecurity in Medical Devices

FDA Draft Guidance for Cybersecurity in Medical Devices

Management of Cybersecurity in Medical Devices

On January 15, 2016, the Food and Drug Administration (FDA) issued draft guidance, “Postmarket Management of Cybersecurity in Medical Devices,” addressing cybersecurity and risk management of vulnerabilities in medical devices.

FDA Device Regulation Guidance

FDA Cybersecurity Workshop

The guidance was published just prior to the FDA Cybersecurity Workshop held on January 20-21, 2016 in Maryland.  Online webcasts of the workshop proceedings is available here: Workshop Conference

The draft guidance applies to medical devices that contain software (including firmware) or programmable logic, and to software that is a medical device.  Medical devices are increasingly connected to computer networks to facilitate patient care and, as a result, may be vulnerable to cybersecurity threats.

Reporting Security Problems and Improvements

FDA encourages manufacturers who have PMA devices with periodic reporting requirements under 21 CFR 814.84, to report information concerning cybersecurity vulnerabilities, as well as device changes and compensating controls implemented in response to this information in their annual reports.


The guidance document has currently been distributed for comment purposes only and does not contain binding requirements.

Additional Reading

This guidance complements previous FDA guidance relating to PMA submissions and steps to protect networked Medical Devices containing off-the-shelf software (OTS).

2013 – Cybersecurity Challenges for Medical Devices

2013 – Draft Guidance on Content of Premarket Submissions for Management of Cyber-security in Medical Devices

2015 –  Cybersecurity for Networked Medical Devices Containing Off-the-Shelf Software 

Leave a Reply

You must be logged in to post a comment.