Information for Healthcare Organizations about FDA's "Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software" February 2005

The Center for Devices and Radiological Health, FDA, has issued a guidance document for manufacturers on cybersecurity of networked medical devices that use OTS software. We know that you are very interested in this issue, so we have prepared the following questions and answers to help you understand the guidance document.

What medical devices does this guidance cover?

This guidance covers medical devices that:

Who is this guidance for?

FDA has addressed the guidance to manufacturers of medical devices. This guidance explains some of FDA's rules for manufacturers of medical devices that use OTS software and connect to networks. However, information in this guidance may be useful to others who are responsible for keeping networked devices safe from threats, such as

Why is FDA concerned about security of networks?

FDA is concerned about the security of networks because vulnerable OTS software can allow an attacker to get unauthorized access to a network or medical device and reduce the safety and effectiveness of devices that connect to those networks.

What does this guidance cover?

The guidance covers major responsibilities of manufacturers of medical devices containing OTS software. These responsibilities are based on FDA's Quality System regulation. FDA has already explained those responsibilities to manufacturers. (See FDA's guidance on Off-The-Shelf Software Use In Medical Devices.) We intend this guidance to help manufacturers better understand these responsibilities.

When can healthcare organizations apply software patches to medical devices that don't come from the medical device manufacturer?

In our view, it is rare for healthcare organizations to have enough technical resources and information on the design of medical devices to independently maintain medical device software. Thus, most healthcare organizations need to rely on the advice of medical device manufacturers.

What is my role in solving this problem?

Now that you are aware of the manufacturers’ responsibilities, work with them and with your institution to devise and implement a plan for dealing with potential cybersecurity vulnerabilities in your institution.

If you have questions concerning this document, contact John F. Murray Jr. 301-796-5543, john.murray@fda.hhs.gov.

Submit Comments

You can submit online or written comments on any guidance at any time (see 21 CFR 10.115(g)(5))

If unable to submit comments online, please mail written comments to:

Dockets Management
Food and Drug Administration
5630 Fishers Lane, Rm 1061
Rockville, MD 20852

All written comments should be identified with this document's docket number: FDA-2020-D-0957.