The FDA’s guidance on cybersecurity in premarket submissions requires that the instructions for use (IFU) include advice and precautions on how to operate medical devices in their intended environments. For additional information, please refer to the FDA’s official guidance document titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions”.
In this guidance, the FDA outlines recommendations for medical device labeling ensuring cybersecurity compliance:
1. Identify Assets: List all software and hardware assets included in the device.
2. Identify Threats: Describe potential threats that could exploit cybersecurity vulnerabilities.
3. Identify vulnerabilities: Identify cybersecurity vulnerabilities affecting the device.
4. Assess Risk: Provide a risk assessment based on identified threats and vulnerabilities.
5. Control Measures: Apply measures to mitigate identified risks.
6. Device Security by Design: Integrate security practices into design and development processes.
7. Authentication Mechanisms: Implement authentication controls to limit access to authorized users.
8. Software Updates: Ensure mechanisms for secure and timely software updates.
9. Data Protection: Implement data protection measures for information stored or transmitted.
10. Detect and Respond: Establish capabilities to detect and respond to cybersecurity incidents.
11. Postmarket Surveillance: Monitor devices postmarket to identify and address new vulnerabilities.
12. Information Sharing: Share relevant cybersecurity information with stakeholders.
13. User Training: Train users and administrators on cybersecurity awareness and best practices.
14. Documentation: Maintain thorough documentation of cyber-security measures and procedures.
Medical device labeling plays a crucial role throughout the risk assessment, operation, upgrade and overall lifecycle of the medical devices and health software.
Cybersecurity items in medical device labeling
Recommended items for the Instructions for Use (IFU) content may include:
· Description of cybersecurity features and functionalities.
· Guidelines for maintaining device security.
· Procedures for applying software updates.
· Information on threat detection and response protocols.
· Best practices for user authentication and access control.
· Steps to protect sensitive data.
· Contact information for reporting cybersecurity issues.
· Training resources for users and administrators.
Implementing these medical device labeling recommendations can help ensure that medical devices are secure and protected against potential cyber threats.
Cybersecurity Labeling Requirements and Examples in medical device labeling
The following 14 items are examples of information that may be included in labeling to communicate relevant security information to users:
| Medical Device Labeling Requirements | Description | Examples for medical device labeling instructions |
| Device instructions and specifications related to cybersecurity controls | Details about necessary security measures for devices. | The medical device must use anti-malware software updated daily and requires 2FA/MFA for user access. |
| Detailed diagrams for implementing cybersecurity controls | Visual guides for setting up security features. | A diagram illustrating where and how to configure a firewall to block unauthorized access to patient records. |
| List and descriptions of network ports and interfaces | Information on network ports used by the device with functionality and direction. This information shall be in line with the FDA guidance on interoperability. | Port 443 is used for secure HTTPS communication for transmitting (only) patient data. Service ports are physically protected and require admin login. |
| Guidance on infrastructure requirements for device operation | Instructions on secure setup and threat response. | The health software should be operated within a segmented network to isolate it from general internet traffic, ensuring patient data protection. |
| SBOM in a machine-readable format | Continuous provision of software component lists. | A CycloneDX file listing third-party software components used in the medical device, accessible on request through a manufacturer’s web portal. |
| Procedures for downloading manufacturer-authorized software/firmware versions | Steps for obtaining verified updates. | Firmware updates are downloaded from the official website and verified using a digital signature to ensure authenticity. Updates need to be clearly labeled and installation confirmed by an administrator. |
| Design features that respond to security events with notifications and logs | Mechanisms for alerting users to security issues. | The device sends an alert to the administrator if there is an unauthorized access attempt to the electronic health record (EHR) system. Audit logs are archived, indexed and searchable. |
| Features protecting critical functionality | Measures ensuring essential operations continue. | The device enters a backup mode if it detects a critical failure, ensuring essential functions like patient monitoring remain operational. |
| Backup and restore procedures for authenticated configurations | Methods for saving and recovering settings. | Users can back up their settings to an encrypted external drive to safeguard configuration data. |
| Methods for retaining and recovering device configuration by authorized users | Processes for restoring previous settings. | Authorized users can restore previous configurations stored securely in a compliance-regulated cloud service. |
| Secure configurations and instructions for user-configurable changes | Guidelines on modifying device settings securely. | Authorized users can restore defaults and factory configurations stored securely in a compliance-regulated cloud service. |
| Forensic evidence capture, including log file management | Handling and preserving log files for analysis. | Log files are automatically saved and encrypted in the network management system to ensure data integrity for forensic analysis. |
| Information about cybersecurity end of support/life, and risk management | Details on device lifespan and associated risks. | The medical device will no longer receive security updates after December 31, 2025 if running Windows 10. The OS should be upgraded to Linux or Windows 11 after this date. |
| Secure decommissioning procedures for sensitive data and software | Procedures for safely disposing of the device. | The device includes a feature to overwrite and delete all patient data before disposal which is activated when end-of-life is reached or a replacement is activated. |
| Optional: Manufacturer Disclosure Statement for Medical Device Security (MDS2) | Recommendations and disclosures specific to medical devices. | An MDS2 statement detailing the cybersecurity controls and validations implemented in a new health diagnostic tool. Relevant protocols, their versions and reference to e.g. IETF or wireless standards (e.g. Bluetooth version 5.2) are specified. |
An MDS2 statement in medical device labeling depends on available templates for the device category concerned. An IFU typically contains a technical specification section that is equivalent with the MDS2 statement.
Splitting cybersecurity instructions into multiple IFUs
Health software and connected medical devices may address different audiences. A device for self-care, such as an insulin pump or a smart pen, requires addressing patients directly, e.g. how to configure the pump or the controller application on a smartphone. In contrast, a cloud service or an operating room monitor requires network administrators to know ports, protocols and traffic details. Therefore, IFUs for different health software and medical devices need an overview, and in some cases more details about configurations of the environment. For example if log files or EHR need to be processed by an administrator, details about version, format, and access procedures are required.
