Cybersecurity Work Instruction (WI-007)

Learn how to document your cybersecurity risk controls for a FDA 510k submission when you purchase our cybersecurity work instruction.

Your cart is empty

What does the FDA require for 510k cybersecurity documentation? 

Medical device companies all over the world rely upon IEC 62304 as a standard for management of the software development lifecycle and creating software verification and validation documentation. However, when medical device companies submit their first 510k, they are surprised to receive a deficiency requesting additional verification and validation documentation regarding cybersecurity that was not required by IEC 62304. The wording of this deficiency may be as follows:

Your device has interfaces that introduce cybersecurity risks. However, you have not provided adequate documentation to demonstrate that they were taken into account and addressed.

  • Please provide a system level architecture that includes all the components (assets) of the system (including third party devices), the connections between them, and the communication protocols. Assets may include: Physical Network Components (servers, end-users, peripherals, implants…), Software Systems and Applications (OS, medical applications, firmware…), Communication Paths and Interfaces (physical and logical interfaces), and Data Assets (PHI, secrets, control data, …), etc.
  • Please clearly identify the functionality of the network in your device.
  • Please provide an asset evaluation that includes a detailed description that is based on your response to the deficiency above.
  • Please include a threat model of your system, a detailed cybersecurity plan, including the maintenance plan with respect to routine updates and patches and controls in place to ensure continued integrity of your device in the field, and a response plan.
  • Please also indicate how often you planning to reassess the cybersecurity and what sources you are using as part of your assessment.
  • Please provide a cybersecurity hazard analysis that includes identified risks, causes, and mitigation measures.
  • Please provide a dedicated cybersecurity plan as identified above.

What does the FDA require for 510k cybersecurity documentation? 

Any medical device that includes one or more of the following attributes must include cybersecurity documentation above and beyond the requirements in IEC 62304:

  • Cloud communication
  • Network connection (active or not)
  • Wireless communication in any form
  • USB/serial ports/removable media
  • Software upgrades (this includes patches)

The FDA provides two guidance documents for cybersecurity documentation, and the following documentation must be submitted with your 510k premarket notification:

  • Threat modeling
  • Cybersecurity vulnerabilities/risks
  • Cybersecurity controls
  • Cybersecurity Traceability matrix
  • Post-market cybersecurity plan
  • Plan for malware shipping
  • Cybersecurity labeling

What will you receive when you purchase this cybersecurity work instruction?

Anyone that purchases the 510k software documentation and cybersecurity work instruction (WI-007) will receive the work instruction in native Word format and any future updates to the work instruction at no additional cost. You will also receive the two templates for cybersecurity documentation:

  • Cybersecurity Checklist – TMP-042
  • Cybersecurity Vulnerabilities/Risks – TMP-043

Cybersecurity Work Instruction and Templates $199.00:

Cybersecurity Work Instruction WI 007 Cybersecurity Work Instruction (WI 007)
WI-007 – 510(k) Software Documentation & Cybersecurity Work Instruction

This work instruction provides detailed instructions for preparing 510(k) software documentation, including the use of the Cybersecurity Checklist (TMP-042) and the Cybersecurity Vulnerabilities/Risks Template (TMP-043). There are a number of other software documentation templates referenced in this work instruction. Those templates can be found as part of SYS-044 which is sold separately.

Price: $199.00

This 510k Software Documentation & Cybersecurity Work Instruction (WI-007), and the associated templates, are available for $199. This work instruction is provided with two software documentation templates, while other software documentation templates referenced in this work instruction are sold with the purchase of the Software Development and Validation Procedure (SYS-044). If you would like to ask confidential questions, please use our calendly app to schedule a call with Rob Packard or you can email the author of the work instruction directly. The work instruction and the two templates are provided in native MS Word Formats for your convenience.

Important Note

This work instruction and template will be delivered to the email address provided in the shopping cart transaction. After the transaction is verified, please check your email for the download. The email may be in your spam folder.

Additional resources to supplement this cybersecurity work instruction

In addition to this work instruction, you may also be interested in the following blog articles and webinars related to cybersecurity and or software verification and validation:

About the Author

Photo of Bhoomika 300x300 Cybersecurity Work Instruction (WI 007)Bhoomika Joyappa joined Medical Device Academy as an Associate Regulatory Consultant in April 2021. She has a Master’s Degree in Biomedical/Medical Engineering from The City University of New York. Prior to joining Medical Device Academy she worked as regulatory affairs intern and completed a training program in regulatory affairs at Duke University School of Medicine. She also has previous experience as a SAS programmer and technical writer for Huawei. She is passionate about regulatory affairs, and she is making an immediate positive contribution to our clients by already completing her first few 510k submissions and developing cybersecurity checklists for our clients to help with cybersecurity documentation required by the FDA. She can be reached via email.