Cybersecurity (where required) -- September 13, 2016:
“ Postmarket
Management of Cybersecurity in Medical Devices – Draft Guidance …”, dated
January 22, 2016:
- Applies to devices susceptable to
unauthorized access / vulnerabilities …
- Include cybersecurity in the product Risk Analysis (ID of threats / vulnerablities …) – Risks to “essential clinical performance”, both controlled and uncontrolled;
- Includes postmarket monitoring, assessing, detecting, impact determination, disclosure, deployment, et al;
- Incorporate NIST’s (included in the Guidance Appendix’s) Identify,
Protect, Detect, Respond, and
Recover;
- Device manufacturer is
responsible to address (tied to 820.100 by FDA);
- Patches = design changes
(820.30); not usually subject to FDA review; are “device enhancements”, not “recalls”;
- But subject to K97-1
analysis by manufacturer (K-97 is now two Guidance documents on changes to a device and the 510(k)); and
- Require ‘validation’
(sic).
-- John E. Lincoln jelincoln.com
Updated 09/06/2023
No comments:
Post a Comment