Information for Healthcare Organizations about FDA's "Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software" February 2005

The Center for Devices and Radiological Health, FDA, has issued a guidance document for manufacturers on cybersecurity of networked medical devices that use OTS software. We know that you are very interested in this issue, so we have prepared the following questions and answers to help you understand the guidance document.

What medical devices does this guidance cover?

This guidance covers medical devices that:

• use OTS software
• can connect to networks, such as a private intranet or the public Internet, and
• need updates or patches because their OTS software is found vulnerable to viruses, worms, and other threats.

• systems that obtain, archive, and communicate pictures on networks within healthcare facilities, such as computed tomography (CT), magnetic resonance (MR), ultrasound (US), nuclear medicine (NM), and endoscopy
• systems that monitor patient activity, such as electrocardiographic (ECG) systems
• systems that communicate with clinical laboratory analyzers, such as laboratory information systems

Who is this guidance for?

FDA has addressed the guidance to manufacturers of medical devices. This guidance explains some of FDA's rules for manufacturers of medical devices that use OTS software and connect to networks. However, information in this guidance may be useful to others who are responsible for keeping networked devices safe from threats, such as

• suppliers of non-medical device network software and hardware, such as computers, routers, switches, operating systems, database engines
• healthcare organizations and their network administrators who set up and maintain computer networks connected to medical devices

Why is FDA concerned about security of networks?

FDA is concerned about the security of networks because vulnerable OTS software can allow an attacker to get unauthorized access to a network or medical device and reduce the safety and effectiveness of devices that connect to those networks.

What does this guidance cover?

The guidance covers major responsibilities of manufacturers of medical devices containing OTS software. These responsibilities are based on FDA's Quality System regulation. FDA has already explained those responsibilities to manufacturers. (See FDA's guidance on Off-The-Shelf Software Use In Medical Devices.) We intend this guidance to help manufacturers better understand these responsibilities.

• If manufacturers chose to use OTS software in their devices and vulnerabilities in OTS software can affect the safety and effectiveness of their networked devices, they have to act to keep their devices safe and effective.
• FDA’s Quality System regulation requires medical device manufacturers to examine sources of quality data and correct or prevent quality problems.
• Ordinarily, FDA will not need to review software patches before a device manufacturer puts them in place. FDA views most software patches as design changes that manufacturers can make without prior discussion with FDA. FDA has already advised manufacturers on when they should involve FDA. (See FDA's guidances on General Principles of Software Validation andDeciding When to Submit a 510(k) for a Change to an Existing Device and regulations on notification and premarket approval application supplements and reports.)

• it would change who it’s for, what it does, or how it works (a change in the indication for use), and/or
• it would make the device less safe and effective

When can healthcare organizations apply software patches to medical devices that don't come from the medical device manufacturer?

In our view, it is rare for healthcare organizations to have enough technical resources and information on the design of medical devices to independently maintain medical device software. Thus, most healthcare organizations need to rely on the advice of medical device manufacturers.

What is my role in solving this problem?

Now that you are aware of the manufacturers’ responsibilities, work with them and with your institution to devise and implement a plan for dealing with potential cybersecurity vulnerabilities in your institution.

If you have questions concerning this document, contact John F. Murray Jr. 301-796-5543, john.murray@fda.hhs.gov.

Submit Comments

You can submit online or written comments on any guidance at any time (see 21 CFR 10.115(g)(5))

If unable to submit comments online, please mail written comments to:

Dockets Management
Food and Drug Administration
5630 Fishers Lane, Rm 1061
Rockville, MD 20852

All written comments should be identified with this document's docket number: FDA-2020-D-0957.