Federal Register, Volume 87 Issue 68 (Friday, April 8, 2022)

[Federal Register Volume 87, Number 68 (Friday, April 8, 2022)]
[Notices]
[Pages 20873-20875]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-07614]

-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Food and Drug Administration

[Docket No. FDA-2021-D-1158]

Cybersecurity in Medical Devices: Quality System Considerations
and Content of Premarket Submissions; Draft Guidance for Industry and
Food and Drug Administration Staff; Availability

AGENCY: Food and Drug Administration, HHS.

ACTION: Notice of availability.

-----------------------------------------------------------------------

SUMMARY: The Food and Drug Administration (FDA or Agency) is announcing
the availability of the draft guidance entitled ``Cybersecurity in
Medical Devices: Quality System Considerations and Content of Premarket
Submissions.'' As more medical devices are becoming interconnected,
cybersecurity threats have become more numerous, more frequent, more
severe, and more clinically impactful. As a result, ensuring medical
device safety and effective includes adequate medical device
cybersecurity, as well as its security as part of the larger system. In
2018, FDA proposed updates to the final guidance, ``Content of
Premarket Submissions for Management of Cybersecurity in Medical
Devices,'' and issued a draft guidance of the same name. This draft
guidance replaces the 2018 draft guidance. This draft guidance is
intended to further emphasize the importance of ensuring that devices
are designed securely, are designed to be capable of mitigating
emerging cybersecurity risks throughout the Total Product Life Cycle,
and to clearly outline FDA's recommendations for premarket submission
content to address cybersecurity concerns. This draft guidance is not
final nor is it for implementation at this time.

DATES: Submit either electronic or written comments on the draft
guidance by July 7, 2022 to ensure that the Agency considers your
comment on this draft guidance before it begins work on the final
version of the guidance.

ADDRESSES: You may submit comments on any guidance at any time as
follows:

Electronic Submissions

Submit electronic comments in the following way:
Federal eRulemaking Portal: https://www.regulations.gov.
Follow the instructions for submitting comments. Comments submitted
electronically, including attachments, to https://www.regulations.gov
will be posted to

[[Page 20874]]

the docket unchanged. Because your comment will be made public, you are
solely responsible for ensuring that your comment does not include any
confidential information that you or a third party may not wish to be
posted, such as medical information, your or anyone else's Social
Security number, or confidential business information, such as a
manufacturing process. Please note that if you include your name,
contact information, or other information that identifies you in the
body of your comments, that information will be posted on https://www.regulations.gov.
If you want to submit a comment with confidential
information that you do not wish to be made available to the public,
submit the comment as a written/paper submission and in the manner
detailed (see ``Written/Paper Submissions'' and ``Instructions'').

Written/Paper Submissions

Submit written/paper submissions as follows:
Mail/Hand Delivery/Courier (for written/paper
submissions): Dockets Management Staff (HFA-305), Food and Drug
Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.
For written/paper comments submitted to the Dockets
Management Staff, FDA will post your comment, as well as any
attachments, except for information submitted, marked and identified,
as confidential, if submitted as detailed in ``Instructions.''
Instructions: All submissions received must include the Docket No.
FDA-2021-D-1158 for ``Cybersecurity in Medical Devices: Quality System
Considerations and Content of Premarket Submissions.'' Received
comments will be placed in the docket and, except for those submitted
as ``Confidential Submissions,'' publicly viewable at https://www.regulations.gov or at the Dockets Management Staff between 9 a.m.
and 4 p.m., Monday through Friday, 240-402-7500.
Confidential Submissions--To submit a comment with
confidential information that you do not wish to be made publicly
available, submit your comments only as a written/paper submission. You
should submit two copies total. One copy will include the information
you claim to be confidential with a heading or cover note that states
``THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION.'' The Agency will
review this copy, including the claimed confidential information, in
its consideration of comments. The second copy, which will have the
claimed confidential information redacted/blacked out, will be
available for public viewing and posted on https://www.regulations.gov.
Submit both copies to the Dockets Management Staff. If you do not wish
your name and contact information to be made publicly available, you
can provide this information on the cover sheet and not in the body of
your comments and you must identify this information as
``confidential.'' Any information marked as ``confidential'' will not
be disclosed except in accordance with 21 CFR 10.20 and other
applicable disclosure law. For more information about FDA's posting of
comments to public dockets, see 80 FR 56469, September 18, 2015, or
access the information at: https://www.govinfo.gov/content/pkg/FR-2015-09-18/pdf/2015-23389.pdf.
Docket: For access to the docket to read background documents or
the electronic and written/paper comments received, go to https://www.regulations.gov and insert the docket number, found in brackets in
the heading of this document, into the ``Search'' box and follow the
prompts and/or go to the Dockets Management Staff, 5630 Fishers Lane,
Rm. 1061, Rockville, MD 20852, 240-402-7500.
You may submit comments on any guidance at any time (see 21 CFR
10.115(g)(5)).
An electronic copy of the guidance document is available for
download from the internet. See the SUPPLEMENTARY INFORMATION section
for information on electronic access to the guidance. Submit written
requests for a single hard copy of the draft guidance document entitled
``Cybersecurity in Medical Devices: Quality System Considerations and
Content of Premarket Submissions'' to the Office of Policy, Guidance
and Policy Development, Center for Devices and Radiological Health,
Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 66, Rm.
5431, Silver Spring, MD 20993-0002 or the Office of Communication,
Outreach and Development, Center for Biologics Evaluation and Research
(CBER), Food and Drug Administration, 10903 New Hampshire Ave., Bldg.
71, Rm. 3128, Silver Spring, MD 20993-0002. Send one self-addressed
adhesive label to assist that office in processing your request.

FOR FURTHER INFORMATION CONTACT: Suzanne Schwartz, Center for Devices
and Radiological Health, Food and Drug Administration, 10903 New
Hampshire Ave., Bldg. 66, Rm. 5410, Silver Spring, MD 20993-0002, 301-
796-6937; or Stephen Ripley, Center for Biologics Evaluation and
Research, Food and Drug Administration, 10903 New Hampshire Ave., Bldg.
71, Rm. 7301, Silver Spring, MD 20993, 240-402-7911.

SUPPLEMENTARY INFORMATION:

I. Background

The need for effective cybersecurity to reasonably ensure medical
device safety and effectiveness has become more important with the
increasing use of wireless, internet- and network-connected devices,
portable media (e.g., USB or CD), and the frequent electronic exchange
of medical device-related health information. In addition,
cybersecurity threats to the healthcare sector have become more
frequent, more severe, and carry increased potential for clinical
impact. Cybersecurity incidents have rendered medical devices and
hospital networks inoperable, disrupting the delivery of patient care
across healthcare facilities in the United States and globally. Such
cyber attacks and exploits can delay diagnoses and/or treatment and may
lead to patient harm.
Although FDA issued guidance providing recommendations for device
cybersecurity information in premarket submissions in 2014,\1\ the
rapidly evolving landscape, and the increased understanding of the
threats and their potential mitigations, necessitate an updated
approach. As such, FDA issued a draft guidance in 2018 entitled
``Content of Premarket Submissions for Management of Cybersecurity in
Medical Devices.''
---------------------------------------------------------------------------

\1\ Content of Premarket Submissions for Management of
Cybersecurity in Medical Devices--Guidance for Industry and Food and
Drug Administration Staff at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/content-premarket-submissions-management-cybersecurity-medical-devices-0.
---------------------------------------------------------------------------

Given the rapidly evolving device cybersecurity landscape, FDA is
issuing this draft guidance, which replaces the 2018 draft guidance, to
further emphasize the importance of ensuring that devices are designed
securely, are designed to be capable of mitigating emerging
cybersecurity risks throughout the Total Product Life Cycle, and to
clearly outline FDA's recommendations for premarket submission content
to address cybersecurity concerns, including device labeling. These
recommendations can facilitate an efficient premarket review process
and help ensure that marketed medical devices are sufficiently
resilient to cybersecurity threats.
This draft guidance supplants the draft guidance entitled,
``Content of Premarket Submissions for Management of Cybersecurity in
Medical Devices'' issued October 18, 2018, and takes into consideration
comments received on the 2018 draft guidance (83 FR 52835;

[[Page 20875]]

https://www.govinfo.gov/content/pkg/FR-2018-10-18/pdf/2018-22697.pdf)
and input gained from the public workshop entitled, ``Content of
Premarket Submissions for Management of Cybersecurity in Medical
devices'' held on January 29-30, 2019.\2\ Several changes were made in
this draft guidance, including a change in title to better capture the
scope of the current draft guidance, document structure change to align
with use of a Secure Product Framework, removal of risk tiers,
replacement of the Cybersecurity Bill of Materials with Software Bill
of Materials, additional clarification regarding premarket submission
document requests throughout the draft guidance, and addition of
Investigational Device Exemptions to the scope.
---------------------------------------------------------------------------

\2\ https://wayback.archive-it.org/7993/20201222110245/https://www.fda.gov/medical-devices/workshops-conferences-medical-devices/public-workshop-content-premarket-submissions-management-cybersecurity-medical-devices-january-29-30.
---------------------------------------------------------------------------

This draft guidance is being issued consistent with FDA's good
guidance practices regulation (21 CFR 10.115). The draft guidance, when
finalized, will represent the current thinking of FDA on
``Cybersecurity in Medical Devices: Quality System Considerations and
Content of Premarket Submissions.'' It does not establish any rights
for any person and is not binding on FDA or the public. You can use an
alternative approach if it satisfies the requirements of the applicable
statutes and regulations.

II. Electronic Access

Persons interested in obtaining a copy of the draft guidance may do
so by downloading an electronic copy from the internet. A search
capability for all Center for Devices and Radiological Health guidance
documents is available at https://www.fda.gov/medical-devices/device-advice-comprehensive-regulatory-assistance/guidance-documents-medical-devices-and-radiation-emitting-products. This draft guidance is also
available at https://www.regulations.gov and at https://www.fda.gov/regulatory-information/search-fda-guidance-documents or https://www.fda.gov/vaccines-blood-biologics/guidance-compliance-regulatory-information-biologics/biologics-guidances. Persons unable to download
an electronic copy of ``Cybersecurity in Medical Devices: Quality
System Considerations and Content of Premarket Submissions'' may send
an email request to [email protected] to receive an electronic
copy of the document. Please use the document number 1825-R1 and
complete title to identify the guidance you are requesting.

III. Paperwork Reduction Act of 1995

While this guidance contains no collection of information, it does
refer to previously approved FDA collections of information. Therefore,
clearance by the Office of Management and Budget (OMB) under the
Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501-3521) is not
required for this guidance. The previously approved collections of
information are subject to review by OMB under the PRA. The collections
of information in the following FDA regulations, guidance, and forms
have been approved by OMB as listed in the following table:

------------------------------------------------------------------------
OMB control
21 CFR part or guidance Topic No.
------------------------------------------------------------------------
807, subpart E................. Premarket notification. 0910-0120
814, subparts A through E...... Premarket approval..... 0910-0231
814, subpart H................. Humanitarian Device 0910-0332
Exemption.
812............................ Investigational Device 0910-0078
Exemption.
860, subpart D................. De Novo classification 0910-0844
process.
``Requests for Feedback on Q-submissions.......... 0910-0756
Medical Device Submissions:
The Pre-Submission Program and
Meetings with Food and Drug
Administration Staff''.
800, 801, and 809.............. Medical Device Labeling 0910-0485
Regulations.
820............................ Current Good 0910-0073
Manufacturing Practice
(CGMP); Quality System
(QS) Regulation.
------------------------------------------------------------------------

Dated: April 5, 2022.
Lauren K. Roth,
Associate Commissioner for Policy.
[FR Doc. 2022-07614 Filed 4-7-22; 8:45 am]
BILLING CODE 4164-01-P