2022-07614. Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions; Draft Guidance for Industry and Food and Drug Administration Staff; Availability  

  • Start Preamble

    AGENCY:

    Food and Drug Administration, HHS.

    ACTION:

    Notice of availability.

    SUMMARY:

    The Food and Drug Administration (FDA or Agency) is announcing the availability of the draft guidance entitled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” As more medical devices are becoming interconnected, cybersecurity threats have become more numerous, more frequent, more severe, and more clinically impactful. As a result, ensuring medical device safety and effective includes adequate medical device cybersecurity, as well as its security as part of the larger system. In 2018, FDA proposed updates to the final guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” and issued a draft guidance of the same name. This draft guidance replaces the 2018 draft guidance. This draft guidance is intended to further emphasize the importance of ensuring that devices are designed securely, are designed to be capable of mitigating emerging cybersecurity risks throughout the Total Product Life Cycle, and to clearly outline FDA's recommendations for premarket submission content to address cybersecurity concerns. This draft guidance is not final nor is it for implementation at this time.

    DATES:

    Submit either electronic or written comments on the draft guidance by July 7, 2022 to ensure that the Agency considers your comment on this draft guidance before it begins work on the final version of the guidance.

    ADDRESSES:

    You may submit comments on any guidance at any time as follows:

    Electronic Submissions

    Submit electronic comments in the following way:

    Federal eRulemaking Portal: https://www.regulations.gov. Follow the instructions for submitting comments. Comments submitted electronically, including attachments, to https://www.regulations.gov will be posted to Start Printed Page 20874 the docket unchanged. Because your comment will be made public, you are solely responsible for ensuring that your comment does not include any confidential information that you or a third party may not wish to be posted, such as medical information, your or anyone else's Social Security number, or confidential business information, such as a manufacturing process. Please note that if you include your name, contact information, or other information that identifies you in the body of your comments, that information will be posted on https://www.regulations.gov.

    • If you want to submit a comment with confidential information that you do not wish to be made available to the public, submit the comment as a written/paper submission and in the manner detailed (see “Written/Paper Submissions” and “Instructions”).

    Written/Paper Submissions

    Submit written/paper submissions as follows:

    Mail/Hand Delivery/Courier (for written/paper submissions): Dockets Management Staff (HFA-305), Food and Drug Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.

    • For written/paper comments submitted to the Dockets Management Staff, FDA will post your comment, as well as any attachments, except for information submitted, marked and identified, as confidential, if submitted as detailed in “Instructions.”

    Instructions: All submissions received must include the Docket No. FDA-2021-D-1158 for “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” Received comments will be placed in the docket and, except for those submitted as “Confidential Submissions,” publicly viewable at https://www.regulations.gov or at the Dockets Management Staff between 9 a.m. and 4 p.m., Monday through Friday, 240-402-7500.

    • Confidential Submissions—To submit a comment with confidential information that you do not wish to be made publicly available, submit your comments only as a written/paper submission. You should submit two copies total. One copy will include the information you claim to be confidential with a heading or cover note that states “THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION.” The Agency will review this copy, including the claimed confidential information, in its consideration of comments. The second copy, which will have the claimed confidential information redacted/blacked out, will be available for public viewing and posted on https://www.regulations.gov. Submit both copies to the Dockets Management Staff. If you do not wish your name and contact information to be made publicly available, you can provide this information on the cover sheet and not in the body of your comments and you must identify this information as “confidential.” Any information marked as “confidential” will not be disclosed except in accordance with 21 CFR 10.20 and other applicable disclosure law. For more information about FDA's posting of comments to public dockets, see 80 FR 56469, September 18, 2015, or access the information at: https://www.govinfo.gov/​content/​pkg/​FR-2015-09-18/​pdf/​2015-23389.pdf.

    Docket: For access to the docket to read background documents or the electronic and written/paper comments received, go to https://www.regulations.gov and insert the docket number, found in brackets in the heading of this document, into the “Search” box and follow the prompts and/or go to the Dockets Management Staff, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852, 240-402-7500.

    You may submit comments on any guidance at any time (see 21 CFR 10.115(g)(5)).

    An electronic copy of the guidance document is available for download from the internet. See the SUPPLEMENTARY INFORMATION section for information on electronic access to the guidance. Submit written requests for a single hard copy of the draft guidance document entitled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” to the Office of Policy, Guidance and Policy Development, Center for Devices and Radiological Health, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 66, Rm. 5431, Silver Spring, MD 20993-0002 or the Office of Communication, Outreach and Development, Center for Biologics Evaluation and Research (CBER), Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 71, Rm. 3128, Silver Spring, MD 20993-0002. Send one self-addressed adhesive label to assist that office in processing your request.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Suzanne Schwartz, Center for Devices and Radiological Health, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 66, Rm. 5410, Silver Spring, MD 20993-0002, 301-796-6937; or Stephen Ripley, Center for Biologics Evaluation and Research, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 71, Rm. 7301, Silver Spring, MD 20993, 240-402-7911.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    I. Background

    The need for effective cybersecurity to reasonably ensure medical device safety and effectiveness has become more important with the increasing use of wireless, internet- and network-connected devices, portable media ( e.g., USB or CD), and the frequent electronic exchange of medical device-related health information. In addition, cybersecurity threats to the healthcare sector have become more frequent, more severe, and carry increased potential for clinical impact. Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the United States and globally. Such cyber attacks and exploits can delay diagnoses and/or treatment and may lead to patient harm.

    Although FDA issued guidance providing recommendations for device cybersecurity information in premarket submissions in 2014,[1] the rapidly evolving landscape, and the increased understanding of the threats and their potential mitigations, necessitate an updated approach. As such, FDA issued a draft guidance in 2018 entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.”

    Given the rapidly evolving device cybersecurity landscape, FDA is issuing this draft guidance, which replaces the 2018 draft guidance, to further emphasize the importance of ensuring that devices are designed securely, are designed to be capable of mitigating emerging cybersecurity risks throughout the Total Product Life Cycle, and to clearly outline FDA's recommendations for premarket submission content to address cybersecurity concerns, including device labeling. These recommendations can facilitate an efficient premarket review process and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats.

    This draft guidance supplants the draft guidance entitled, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” issued October 18, 2018, and takes into consideration comments received on the 2018 draft guidance (83 FR 52835; Start Printed Page 20875 https://www.govinfo.gov/​content/​pkg/​FR-2018-10-18/​pdf/​2018-22697.pdf ) and input gained from the public workshop entitled, “Content of Premarket Submissions for Management of Cybersecurity in Medical devices” held on January 29-30, 2019.[2] Several changes were made in this draft guidance, including a change in title to better capture the scope of the current draft guidance, document structure change to align with use of a Secure Product Framework, removal of risk tiers, replacement of the Cybersecurity Bill of Materials with Software Bill of Materials, additional clarification regarding premarket submission document requests throughout the draft guidance, and addition of Investigational Device Exemptions to the scope.

    This draft guidance is being issued consistent with FDA's good guidance practices regulation (21 CFR 10.115). The draft guidance, when finalized, will represent the current thinking of FDA on “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” It does not establish any rights for any person and is not binding on FDA or the public. You can use an alternative approach if it satisfies the requirements of the applicable statutes and regulations.

    II. Electronic Access

    Persons interested in obtaining a copy of the draft guidance may do so by downloading an electronic copy from the internet. A search capability for all Center for Devices and Radiological Health guidance documents is available at https://www.fda.gov/​medical-devices/​device-advice-comprehensive-regulatory-assistance/​guidance-documents-medical-devices-and-radiation-emitting-products. This draft guidance is also available at https://www.regulations.gov and at https://www.fda.gov/​regulatory-information/​search-fda-guidance-documents or https://www.fda.gov/​vaccines-blood-biologics/​guidance-compliance-regulatory-information-biologics/​biologics-guidances. Persons unable to download an electronic copy of “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” may send an email request to CDRH-Guidance@fda.hhs.gov to receive an electronic copy of the document. Please use the document number 1825-R1 and complete title to identify the guidance you are requesting.

    III. Paperwork Reduction Act of 1995

    While this guidance contains no collection of information, it does refer to previously approved FDA collections of information. Therefore, clearance by the Office of Management and Budget (OMB) under the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501-3521) is not required for this guidance. The previously approved collections of information are subject to review by OMB under the PRA. The collections of information in the following FDA regulations, guidance, and forms have been approved by OMB as listed in the following table:

    21 CFR part or guidanceTopicOMB control No.
    807, subpart EPremarket notification0910-0120
    814, subparts A through EPremarket approval0910-0231
    814, subpart HHumanitarian Device Exemption0910-0332
    812Investigational Device Exemption0910-0078
    860, subpart DDe Novo classification process0910-0844
    “Requests for Feedback on Medical Device Submissions: The Pre-Submission Program and Meetings with Food and Drug Administration Staff”Q-submissions0910-0756
    800, 801, and 809Medical Device Labeling Regulations0910-0485
    820Current Good Manufacturing Practice (CGMP); Quality System (QS) Regulation0910-0073
    Start Signature

    Dated: April 5, 2022.

    Lauren K. Roth,

    Associate Commissioner for Policy.

    End Signature End Supplemental Information

    Footnotes

    [FR Doc. 2022-07614 Filed 4-7-22; 8:45 am]

    BILLING CODE 4164-01-P

Document Information

Published:
04/08/2022
Department:
Food and Drug Administration
Entry Type:
Notice
Action:
Notice of availability.
Document Number:
2022-07614
Dates:
Submit either electronic or written comments on the draft guidance by July 7, 2022 to ensure that the Agency considers your comment on this draft guidance before it begins work on the final version of the guidance.
Pages:
20873-20875 (3 pages)
Docket Numbers:
Docket No. FDA-2021-D-1158
PDF File:
2022-07614.pdf
Supporting Documents:
» Cybersecurity in Medical Devices Quality System Considerations and Content of Premarket Submissions
» Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions; Draft Guidance for Industry and Food and Drug Administration Staff; Availability