Determine if your medical device is a "cyber device" per FDA regulations and understand cybersecurity requirements
Important Regulatory Update - September 2023
FDA's "Cybersecurity in Medical Devices" guidance establishes mandatory requirements for "cyber devices" under FD&C Act Section 524B. Premarket submissions must include comprehensive cybersecurity documentation.
A cyber device must meet ALL three criteria: (1) includes software, (2) can connect to internet, and (3) has cyber-vulnerable characteristics. This is a statutory definition from the FD&C Act.
Software Bill of Materials must include all commercial, open-source, and off-the-shelf components. Machine-readable format (SPDX/CycloneDX) required with vulnerability tracking.
FDA uses two tiers: Standard (lower risk) and Enhanced (higher risk). Enhanced tier requires penetration testing, detailed threat modeling, and more comprehensive documentation.
Health software cybersecurity lifecycle
Medical device software lifecycle processes
Risk management (including security risks)
Cybersecurity quality system considerations
Managing cybersecurity post-release
Common questions answered
Infusion pump with Wi-Fi connectivity, remote monitoring app, and cloud-based dosing database.
Requires: Comprehensive threat model, penetration testing, detailed SBOM, security architecture review
Diagnostic imaging workstation with network connectivity for PACS integration but no direct patient therapy.
Requires: Threat model summary, security testing, SBOM, vulnerability disclosure plan
Manual surgical instrument with no electronics. Standalone thermometer with no connectivity.
Standard cybersecurity requirements do not apply (but still consider general best practices if any software present)
Determine if your device is a "cyber device" per FDA requirements
Per FD&C Act Section 524B(c), a "cyber device" must meet ALL THREE criteria:
Answer three questions to determine if your device is a "cyber device" under FDA regulations.
A "cyber device" is a device that: (1) includes software validated, installed, or authorized by the sponsor as a device or in a device; (2) has the ability to connect to the internet; and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.
Important Disclaimer
This tool provides guidance based on FDA's 2023 cybersecurity guidance. Actual requirements may vary based on device characteristics, evolving FDA guidance, and specific submission types. Consult with cybersecurity professionals and regulatory experts for definitive guidance.