The US Food and Drug Administration (FDA) has published a premarket cybersecurity guidance almost a decade in the making. The document adds requirements based on new authorities granted to the agency by Congress in 2022 along with details on what to include in a software bill of materials (SBOM).
The last time the FDA’s Center for Devices and Radiological Health (CDRH) finalized a premarket cybersecurity guidance was in 2014, and it was just nine pages long. Since then, the center has learned much more about how sponsors develop connected products with the potential for cybersecurity vulnerabilities, which it used to finalize a 57-page guidance on 27 September 2023.
“As you can imagine, there was much evolution in cybersecurity generally, as well as medical device cybersecurity, specifically from 2014 to 2023,” Jessica Wilkerson, senior cyber policy advisor in CDRH’s Office of Strategic Partnerships and Technology Innovation, told Focus. “What we did is, we took our experience of doing medical device cybersecurity reviews and looked at what the 2014 guidance would benefit from, and the manufacturers and agencies that would benefit from it, in terms of additional detail and additional clarity.”…