The FDA’s Cybersecurity Guidance for Medical Devices
Earlier this year, the #FDA announced it would not accept submissions for "#cyberdevices" without a plan to "monitor, identify, and address" cybersecurity issues, as well as define a process that provides "reasonable assurance" that the device remains protected. Since (as I'm sure you noticed) the Agency's guidance doesn't provide much detail beyond that, I'd check out the more in depth #IMDRF release for detailed principles on risk, design, monitoring, communication, and the Software Bill Of Materials (#SBOM).
The IMDRF release as well as some of the referenced docs do a pretty good job of level setting expectations and hint at how to incorporate these expectations into your existing system (including some tips on parallel processes that may make sense to align).
Still, there's some challenges. Particularly when applying these practices to revisions of existing products (SBOMs seem particularly thorny across multiple industries, not just Healthcare). Especially those with more complex architectures and using more 3rd party components.
Curious to know what some of the difficulties/questions/lessons you're seeing so far with the topic. #Share some below!
#cybersecurity #software #medicaldevice