Learn how to document your cybersecurity risk controls for an FDA 510k submission when you purchase our cybersecurity work instruction.
What does the FDA require for 510k cybersecurity documentation?
Medical device companies all over the world rely upon IEC 62304 as a standard for the management of the software development lifecycle and for creating software verification and validation documentation. However, when medical device companies submit their first 510k, they are surprised to receive a deficiency requesting additional verification and validation documentation regarding cybersecurity that was not required by IEC 62304. The wording of this deficiency may be as follows:
Your device has interfaces that introduce cybersecurity risks. However, you have not provided adequate documentation to demonstrate that they were taken into account and addressed.
- Please provide a system-level architecture that includes all the components (assets) of the system (including third-party devices), the connections between them, and the communication protocols. Assets may include: Physical Network Components (servers, end-users, peripherals, implants…), Software Systems and Applications (OS, medical applications, firmware…), Communication Paths and Interfaces (physical and logical interfaces), and Data Assets (PHI, secrets, control data, …), etc.
- Please clearly identify the functionality of the network in your device.
- Please provide an asset evaluation that includes a detailed description that is based on your response to the deficiency above.
- Please include a threat model of your system, a detailed cybersecurity plan, including the maintenance plan with respect to routine updates and patches and controls in place to ensure the continued integrity of your device in the field, and a response plan.
- Please also indicate how often you planning to reassess cybersecurity and what sources you are using as part of your assessment.
- Please provide a cybersecurity hazard analysis that includes identified risks, causes, and mitigation measures.
- Please provide a dedicated cybersecurity plan as identified above.
What does the FDA require for 510k cybersecurity documentation?
Any medical device that includes one or more of the following attributes must include cybersecurity documentation above and beyond the requirements in IEC 62304:
- Cloud communication
- Network connection (active or not)
- Wireless communication in any form
- USB/serial ports/removable media
- Software upgrades (this includes patches)
The FDA provides two guidance documents for cybersecurity documentation, and the following documentation must be submitted with your 510k premarket notification:
- Threat modeling
- Cybersecurity vulnerabilities/risks
- Cybersecurity controls
- Cybersecurity Traceability matrix
- Post-market cybersecurity plan
- Plan for malware shipping
- Cybersecurity labeling
Buy this work instruction now. Pricing increases to $399 on November 30, 2023.
What will you receive when you purchase this cybersecurity work instruction?
Anyone who purchases the 510k software documentation and cybersecurity work instruction (WI-007) will receive the work instruction in native Word format and any future updates to the work instruction at no additional cost. Here’s the release plan for the new version of WI-007 based on the new 2023 FDA cybersecurity guidance:
- Security Risk Management Plan (TMP-050): Version D1 was released on October 5, 2023. This is a new 5-page template. Creating a security risk management plan should be the first step in the software security risk management process.
- Cybersecurity Risk Assessment Template (TMP-043): Version D2 is an updated version released on June 19, 2023. The previous version was a 22-page Word document that was too complex for the intended purpose. The new spreadsheet is simplified and it has been accepted by the FDA in two 510(k) submissions that were cleared (as of October 21, 2023). Recommended software security controls include the following: authentication; authorization; cryptography; code, data, and execution integrity; confidentiality; event detection and login; resiliency and recovery; updateability, and patchability. If your company has not considered software security during development of your software or firmware, then your risk assessment will be shorter. However, when you conduct vulnerability scanning and pentesting, more vulnerabilities will be identified. In addition, during the post-market phase, additional vulnerabilities will be identified. Each vulnerability will require an incident action plan and report (i.e., a CAPA). Implementing patches and updating software/firmware is more time-consuming than preventing vulnerabilities with a strong security architecture. Therefore, we recommend including security requirements as a software requirement and spending more time proactively identifying software security risks during cybersecurity risk assessment.
- Software Bill of Materials, SBOM (TMP-051): Version D1 was released on October 18, 2023. This is a new requirement in the 2023 FDA cybersecurity guidance. The template is a simple, 1-page Word document where your software team will list software components incorporated into the design of your software/firmware.
- Security Architecture Diagram (TMP-052): Version D1 was released on November 2, 2023. This is a new 8-page template based on the new 2023 FDA cybersecurity guidance document. The architecture diagram serves as the basis for your security testing plan. There are four different types of security architecture diagrams: data flow (section 4.1), environmental mapping (section 4.2), swim lane diagrams (section 4.3), and call flow diagrams (section 4.4). The security architecture diagram will be the most time-consuming part of the cybersecurity documentation process because the FDA requires that you provide a minimum of the following views in premarket submissions: global system view (section 5.1), multi-patient harm view (section 5.2), updateability/patchability view (section 5.3), and security use case view(s) (section 5.4).
- Vulnerability Plan (TMP-053): Version D1 is planned for release on or before November 22, 2023. This is a new template that we are adding based on the new 2023 FDA cybersecurity guidance document.
- Cybersecurity Work Instruction (WI-007): Version D3 is planned for release on or before November 30, 2023. This will be a complete rewrite of the previous version to comply with the new 2023 FDA cybersecurity guidance document.
- Cybersecurity Checklist (i.e., TMP-042): This checklist is now obsolete. We expect version 5.0 of the eSTAR will incorporate a checklist of what is needed for cybersecurity, but this was a 12-page document that was too complex for the intended purpose.
WI-007 is now located in the “Archive” subfolder displayed below. TMP-042, the premarket cybersecurity checklist, and TMP-043, the cybersecurity risk assessment template, are now in the “Archive” subfolder. The updated version will be posted in this folder on or before November 30th.
Additional supporting reference documents that should be used in conjunction with this work instruction and templates include:
- NIST 800-30 – This special publication is referenced in the 2023 FDA cybersecurity guidance. It is available as a free download published in September 2012. The purpose of Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part of an overall risk management process—providing senior leaders/executives with the information needed to determine appropriate courses of action in response to identified risks.
- AAMI TIR57:2016/(R)2023 (PDF) – This technical information report is only available from AAMI.org. An AAMI membership is recommended to take advantage of the member discounted price. This Technical Information Report (TIR) provides guidance on methods to perform information security risk management for a medical device in the context of the Safety Risk Management process required by ISO 14971. The TIR incorporates the expanded view of risk management from IEC 80002-1 by incorporating the same key properties of Safety, Effectiveness and Data & Systems Security with Annexes that provide process details and illustrative examples.
This 510k Software Documentation & Cybersecurity Work Instruction (WI-007) and the associated templates are available for $199. Pricing will increase to $399 on November 30, 2023. This work instruction is provided with two software documentation templates, while other software documentation templates referenced in this work instruction are sold with the purchase of the Software Development and Validation Procedure (SYS-044). If you would like to ask confidential questions, please use our calendly app to schedule a call with Rob Packard or you can email the author of the work instruction directly. The work instructions and the two templates are provided in native MS Word Formats for your convenience.
This work instruction and template will be delivered to the email address provided in the shopping cart transaction. After the transaction is verified, please check your email for the download. The email may be in your spam folder.
Future Cybersecurity Work Instructions
We will also be releasing a second work instruction in November. The new work instruction will be called Cybersecurity Incident Response Planning (WI-008). We will explain how to use our CAPA Report (i.e., FRM-009) to document an incidence response plan. There will also be four additional documents that are associated with the planning work instruction (titles below are tentative):
- LST-016, Incident Log
- TMP-053, Incident Handling Checklist
- TMP-054, Security Resiliency Improvement Action Plan
- TMP-055, Tabletop Exercise Template
These will be released together with the work instruction on or before November 30, and the pricing of this second work instruction will be $299.
Additional resources to supplement this cybersecurity work instruction
In addition to this work instruction, you may also be interested in the following blog articles and webinars related to cybersecurity and or software verification and validation:
- Cybersecurity Webinar – Learn what the FDA wants in your 510k
- Cybersecurity FDA Guidance for Devices with Software and Firmware
- Software Service Provider Qualification and Management
- Software as a medical device (SaMD)
- Software Validation Procedure (SYS-044)
- 510k Software Documentation Webinar
About the Author
Bhoomika Joyappa joined Medical Device Academy as an Associate Regulatory Consultant in April 2021. She has a Master’s Degree in Biomedical/Medical Engineering from The City University of New York. Prior to joining Medical Device Academy she worked as a regulatory affairs intern and completed a training program in regulatory affairs at Duke University School of Medicine. She also has previous experience as a SAS programmer and technical writer for Huawei. She is passionate about regulatory affairs, and she is making an immediate positive contribution to our clients by already completing her first few 510k submissions and developing cybersecurity checklists for our clients to help with cybersecurity documentation required by the FDA. She can be reached via email.