
[Federal Register Volume 88, Number 186 (Wednesday, September 27, 2023)]
[Notices]
[Pages 66458-66460]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-20955]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Food and Drug Administration

[Docket No. FDA-2021-D-1158]


Cybersecurity in Medical Devices: Quality System Considerations 
and Content of Premarket Submissions; Guidance for Industry and Food 
and Drug Administration Staff; Availability

AGENCY: Food and Drug Administration, HHS.

ACTION: Notice of availability.

-----------------------------------------------------------------------

SUMMARY: The Food and Drug Administration (FDA or Agency) is announcing 
the availability of a final guidance entitled ``Cybersecurity in 
Medical Devices: Quality System Considerations and Content of Premarket 
Submissions.'' As more medical devices are becoming interconnected, 
cybersecurity threats have become more numerous, more frequent, more 
severe, and more clinically impactful. As a result, ensuring medical 
device safety and effectiveness includes adequate medical device 
cybersecurity, as well as its security as part of the larger system. 
This final guidance supersedes the final guidance ``Content of 
Premarket Submissions for Management of Cybersecurity in Medical 
Devices,'' issued October 2, 2014.

DATES: The announcement of the guidance is published in the Federal 
Register on September 27, 2023.

ADDRESSES: You may submit either electronic or written comments on 
Agency guidances at any time as follows:

[[Page 66459]]

Electronic Submissions

    Submit electronic comments in the following way:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments. Comments submitted 
electronically, including attachments, to https://www.regulations.gov 
will be posted to the docket unchanged. Because your comment will be 
made public, you are solely responsible for ensuring that your comment 
does not include any confidential information that you or a third party 
may not wish to be posted, such as medical information, your or anyone 
else's Social Security number, or confidential business information, 
such as a manufacturing process. Please note that if you include your 
name, contact information, or other information that identifies you in 
the body of your comments, that information will be posted on https://www.regulations.gov.
     If you want to submit a comment with confidential 
information that you do not wish to be made available to the public, 
submit the comment as a written/paper submission and in the manner 
detailed (see ``Written/Paper Submissions'' and ``Instructions'').

Written/Paper Submissions

    Submit written/paper submissions as follows:
     Mail/Hand Delivery/Courier (for written/paper 
submissions): Dockets Management Staff (HFA-305), Food and Drug 
Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.
     For written/paper comments submitted to the Dockets 
Management Staff, FDA will post your comment, as well as any 
attachments, except for information submitted, marked and identified, 
as confidential, if submitted as detailed in ``Instructions.''
    Instructions: All submissions received must include the Docket No. 
FDA-2021-D-1158 for ``Cybersecurity in Medical Devices: Quality System 
Considerations and Content of Premarket Submissions.'' Received 
comments will be placed in the docket and, except for those submitted 
as ``Confidential Submissions,'' publicly viewable at https://www.regulations.gov or at the Dockets Management Staff between 9 a.m. 
and 4 p.m., Monday through Friday, 240-402-7500.
     Confidential Submissions--To submit a comment with 
confidential information that you do not wish to be made publicly 
available, submit your comments only as a written/paper submission. You 
should submit two copies total. One copy will include the information 
you claim to be confidential with a heading or cover note that states 
``THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION.'' The Agency will 
review this copy, including the claimed confidential information, in 
its consideration of comments. The second copy, which will have the 
claimed confidential information redacted/blacked out, will be 
available for public viewing and posted on https://www.regulations.gov. 
Submit both copies to the Dockets Management Staff. If you do not wish 
your name and contact information to be made publicly available, you 
can provide this information on the cover sheet and not in the body of 
your comments and you must identify this information as 
``confidential.'' Any information marked as ``confidential'' will not 
be disclosed except in accordance with 21 CFR 10.20 and other 
applicable disclosure law. For more information about FDA's posting of 
comments to public dockets, see 80 FR 56469, September 18, 2015, or 
access the information at: https://www.govinfo.gov/content/pkg/FR-2015-09-18/pdf/2015-23389.pdf.
    Docket: For access to the docket to read background documents or 
the electronic and written/paper comments received, go to https://www.regulations.gov and insert the docket number, found in brackets in 
the heading of this document, into the ``Search'' box and follow the 
prompts and/or go to the Dockets Management Staff, 5630 Fishers Lane, 
Rm. 1061, Rockville, MD 20852, 240-402-7500.
    You may submit comments on any guidance at any time (see 21 CFR 
10.115(g)(5)).
    An electronic copy of the guidance document is available for 
download from the internet. See the SUPPLEMENTARY INFORMATION section 
for information on electronic access to the guidance. Submit written 
requests for a single hard copy of the guidance document entitled 
``Cybersecurity in Medical Devices: Quality System Considerations and 
Content of Premarket Submissions'' to the Office of Policy, Center for 
Devices and Radiological Health, Food and Drug Administration, 10903 
New Hampshire Ave., Bldg. 66, Rm. 5431, Silver Spring, MD 20993-0002. 
Send one self-addressed adhesive label to assist that office in 
processing your request.

FOR FURTHER INFORMATION CONTACT: Suzanne Schwartz, Center for Devices 
and Radiological Health, Food and Drug Administration, 10903 New 
Hampshire Ave., Bldg. 66, Rm. 5410, Silver Spring, MD 20993-0002, 301-
796-6937; or Anne Taylor, Center for Biologics Evaluation and Research, 
Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 71, Rm. 
7301, Silver Spring, MD 20993, 240-402-7911.

SUPPLEMENTARY INFORMATION:

I. Background

    With the increasing integration of wireless, internet- and network-
connected capabilities, portable media (e.g., USB or CD), and the 
frequent electronic exchange of medical device-related health 
information and other information, the need for robust cybersecurity 
controls to ensure medical device safety and effectiveness has become 
more important. In addition, cybersecurity threats to the healthcare 
sector have become more frequent and more severe, carrying increased 
potential for clinical impact. Cybersecurity incidents have rendered 
medical devices and hospital networks inoperable, disrupting the 
delivery of patient care across healthcare facilities in the United 
States and globally. Such cyberattacks and exploits may lead to patient 
harm as a result of clinical hazards, such as delay in diagnoses and/or 
treatment. As a result, ensuring device safety and effectiveness 
includes adequate device cybersecurity, as well as its security as part 
of the larger system.
    Additionally, section 3305 of the Consolidated Appropriations Act, 
2023, enacted on December 29, 2022, added section 524B ``Ensuring 
Cybersecurity of Medical Devices'' to the Federal Food, Drug, and 
Cosmetic Act (FD&C Act). Under section 524B(a) of the FD&C Act, a 
person who submits a 510(k), premarket approval application (PMA), 
product development protocol, De Novo, or Humanitarian Device Exemption 
for a device that meets the definition of a cyber device, as defined 
under section 524B(c) of the FD&C Act, is required to submit 
information to ensure that cyber devices meet the cybersecurity 
requirements under section 524B(b) of the FD&C Act. Section 524B(c) of 
the FD&C Act defines ``cyber device'' as a device that includes 
software validated, installed, or authorized by the sponsor as a device 
or in a device; has the ability to connect to the internet; and 
contains any such technological characteristics validated, installed, 
or authorized by the sponsor that could be vulnerable to cybersecurity 
threats. The recommendations in this guidance are intended to help 
manufacturers meet their obligations under section 524B of the FD&C 
Act.
    This final guidance supersedes the final guidance ``Content of 
Premarket

[[Page 66460]]

Submissions for Management of Cybersecurity in Medical Devices,'' 
issued October 2, 2014. The changes since the 2014 guidance are 
intended to further emphasize the importance of ensuring that devices 
are designed securely and are designed to be capable of mitigating 
emerging cybersecurity risks throughout the total product lifecycle 
(TPLC), and to clearly outline FDA's recommendations for premarket 
submission information to address cybersecurity concerns. As discussed 
in the guidance, one way these TPLC considerations for devices can be 
achieved is through the implementation and adoption of the Secure 
Product Development Framework. The recommendations in this guidance are 
intended to promote consistency, facilitate efficient premarket review, 
and help ensure that marketed medical devices are sufficiently 
resilient to cybersecurity threats.
    A notice of availability of the draft guidance appeared in the 
Federal Register of April 8, 2022 (87 FR 20873). FDA considered 
comments received and revised the guidance as appropriate in response 
to the comments, including aligning with industry best practices, as 
well as further clarifying the level of documentation recommended. 
Additionally, we have clarified interoperability considerations and 
that cybersecurity controls should not be intended to prohibit a user 
from accessing their device data.
    This guidance is being issued consistent with FDA's good guidance 
practices regulation (21 CFR 10.115). The guidance represents the 
current thinking of FDA on ``Cybersecurity in Medical Devices: Quality 
System Considerations and Content of Premarket Submissions.'' It does 
not establish any rights for any person and is not binding on FDA or 
the public. You can use an alternative approach if it satisfies the 
requirements of the applicable statutes and regulations.

II. Electronic Access

    Persons interested in obtaining a copy of the guidance may do so by 
downloading an electronic copy from the internet. A search capability 
for all Center for Devices and Radiological Health guidance documents 
is available at https://www.fda.gov/medical-devices/device-advice-comprehensive-regulatory-assistance/guidance-documents-medical-devices-and-radiation-emitting-products. This guidance document is also 
available at https://www.regulations.gov, https://www.fda.gov/regulatory-information/search-fda-guidance-documents or https://www.fda.gov/vaccines-blood-biologics/guidance-compliance-regulatory-information-biologics. Persons unable to download an electronic copy of 
``Cybersecurity in Medical Devices: Quality System Considerations and 
Content of Premarket Submissions'' may send an email request to [email protected] to receive an electronic copy of the document. 
Please use the document number GUI00001825 and complete title to 
identify the guidance you are requesting.

III. Paperwork Reduction Act of 1995

    While this guidance contains no new collection of information, it 
does refer to previously approved FDA collections of information. The 
previously approved collections of information are subject to review by 
the Office of Management and Budget under the Paperwork Reduction Act 
of 1995. The collections of information in the following FDA 
regulations, guidance, and forms have been approved by OMB as listed in 
the following table:

------------------------------------------------------------------------
                                                            OMB Control
      21 CFR part or guidance               Topic               No.
------------------------------------------------------------------------
807, subpart E....................  Premarket                  0910-0120
                                     notification.
814, subparts A through E.........  Premarket approval..       0910-0231
814, subpart H....................  Humanitarian Use           0910-0332
                                     Devices;
                                     Humanitarian Device
                                     Exemption.
812...............................  Investigational            0910-0078
                                     Device Exemption.
860, subpart D....................  De Novo                    0910-0844
                                     classification
                                     process.
``Requests for Feedback and         Q-Submissions and          0910-0756
 Meetings for Medical Device         early payor
 Submissions: The Q-Submission       feedback request
 Program''.                          programs for
                                     medical devices.
800, 801, 809, and 830............  Medical device             0910-0485
                                     labeling
                                     regulations; Unique
                                     device
                                     identification.
820...............................  Current good               0910-0073
                                     manufacturing
                                     practice (CGMP);
                                     Quality system (QS)
                                     regulation.
------------------------------------------------------------------------


    Dated: September 21, 2023.
Lauren K. Roth,
Associate Commissioner for Policy.
[FR Doc. 2023-20955 Filed 9-26-23; 8:45 am]
BILLING CODE 4164-01-P


