FDA Final Cyber Guidance is out
The FDA has released their new guidance, which will be broadly impactful.
The FDA has released their new final guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. This formally replaces guidance that’s nearly 9 years old. They’ve also released an FAQ.
I haven’t yet had a chance to dig in, but on the surface, it seems similar to the April draft.
This is, I think, the most detailed guidance from a regulator on quality systems and the security of devices. And while it’s roughly mandatory for medical device makers, product security professionals in other fields would do well to study it and ask what the reasonable implications are for their own work.
This guidance is far more specific, and far more product-focused, than say, the FTC rules for businesses, or the SEC rules to protect investors. It says, “In general, FDA’s guidance documents do not establish legally enforceable responsibilities.” You have choices in how you follow it. Some companies want more specific rules so they can follow them, others want less specificity so they can make choices about how to achieve their goals.
The first impact that this will have is obviously on medical device makers, who need to ensure their new submissions are aligned with the guidance. The second impact will be on other industries. Other regulators are paying attention, both in the medical space internationally, and US regulators who’ll treat this as a thoughtful approach that will inform other guidance and regulation. The third impact will be on product liability lawsuits. The guidance will be treated as a point of reference for reasonable practice in other areas. Those arguing that their SDL is sufficient will say it only needs to be a subset of what’s done for medical devices. Those arguing that a product’s insecurity harmed them will claim that the other side ought to have been closer to what FDA suggested.