导航第524B节

WHAT IS A CYBER DEVICE?What medical products are in the scope of Section 524B? Section 524B(c) of the FD&C Act defines a cyber device as “adevice that includes software validated, installed, or authorized by the sponsor as a device or in a device; has the abilityto connect to the internet; and contains any such technological characteristics validated, installed, or authorized by thesponsor that could be vulnerable to cybersecurity threats.”Medical technology or medical device manufacturers should contact the FDA if they are unsure if their equipmentor devices are considered cyber devices. Final decision on whether a device falls under the cyber device definition issubject to FDA’s interpretation. (Note that devices that do not directly connect to the internet may still contain cyberse-curity vulnerabilities.) A medical device manufacturer should be prepared to answer detailed questions if the FDA is notsatisfied with the initial application.REQUIREMENTS IN SECTION 524BThe FDA Requirements of Section 524B (Question 4) state that “Section 524B(a) of the FD&C Act provides that the spon-sor of a premarket submission for a cyber device must include information to demonstrate that the cyber device meetsthe cybersecurity requirements in section 524B(b) of the FD&C Act.”Specifically, the sponsor of the premarket submission must:•Submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurityvulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.•Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and relatedsystems are cybersecure, and make available post-market updates and patches to the device and related systems.•Provide a software bill of materials, including commercial, open source, and off-the-shelf software components.For full details, see the FDA link at www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity.REGULATIONS AND STANDARDSThere are seven regulations and standards that medical device manufacturers need to consider as they implementcybersecurity features in their devices. These are:•IEC 62304:Medical Device Software: Software Lifecycle Processes•IEC 82304:Health Software: General Requirements for Product Safety•IEC 62366:Medical Device Software: Application of Usability Engineering to Medical Devices•ISO 14971:Medical Devices: Application of Risk Management to Medical Devices•IEC 80001-1:Application of Risk Management for IT-Networks Incorporating Medical Devices, Part 1: Safety,Effectiveness, and Security in the Implementation and Use of Connected Medical Devices or Connected Health Software•21 CFR 820:Quality System Regulation 820.30(g): Design Controls: Design Validation•AAMI TIR57:Principles for Medical Device Security: Risk ManagementCYBERSECURITY: GENERAL PRINCIPLES AND FRAMEWORKMedical device manufacturers should address cybersecurity during the design and development of their devices.However, the FDA recognizes that medical device security is a shared responsibility among stakeholders, includinghealthcare facilities, patients, providers, and medical device manufacturers. 2 General PrinciplesManufacturers should establish design inputs related to cybersecurity and establish a cybersecurity vulnerability andmanagement approach for their devices that includes:•Identification of assets, threats, and vulnerabilities•Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients•Assessment of the likelihood of a threat and of a vulnerability being exploited•Determination of risk levels and suitable mitigation strategies•Assessment of residual risk and risk acceptance criteriaNIST Framework for CybersecurityUsing a cybersecurity framework can help enable a comprehensive process that strengthens cybersecurity for medicaldevices. The National Institute of Standards and Technology (NIST) is an agency of the U.S. Department of Commercethat created a framework to help improve the management of cybersecurity risk. The FDA suggests addressing cyber-security core functions per the NIST framework:•Identify:Develop an organizational understanding of managingcybersecurity risk to systems, people, assets,data, and capabilities.•Protect:Develop and implement appropriate safeguards to ensuredelivery of critical services.•Detect: Develop and implement appropriate activities to identify theoccurrence of a cybersecurity event.•Respond: Develop and implement appropriate activities to takeaction regarding a detected cybersecurity incident.•Recover:Develop and implement appropriate activities to maintainplans for resilience and to restore any capabilities or services thatwere impaired due to a cybersecurity incident.PREMARKET CYBERSECURITY DOCUMENTSThe FDA has required that medical device manufacturers utilize strong cybersecurity methods and tools in the develop-ment of their products and the ongoing operation