Web application

Mitigation of Cybersecurity Risks in Medical Device Software: FDA Discussion & Insights



The U.S. Food & Drug Administration (“FDA”) has increased its focus on mitigating cybersecurity risks in medical device software. On June 24, 2021, the FDA issued two documents that are important not only for entities that service or remanufacture medical devices (“servicers” and “remanufacturers,” respectively), but also original equipment manufacturers (“OEMs”) of such devices.

  1. Draft guidance that distinguishes between “remanufacturing” and “servicing” a medical device. (See FDA, “Remanufacturing of Medical Devices – Draft Guidance for Industry and Food and Drug Administration Staff,” (June 24, 2021) (hereinafter “Draft Remanufacturing Guidance”)).
  2. A discussion paper on the challenges and opportunities in addressing cybersecurity issues while servicing medical devices. (See FDA, “Strengthening Cybersecurity Practices Associated with Servicing of Medical Devices: Challenges and Opportunities,” (June 24, 2021) (hereinafter “Cybersecurity Discussion Paper”)).

The public comment period for both the Draft Remanufacturing Guidance and Cybersecurity Discussion Paper closes September 22, 2021.

Taken together, the documents underscore the criticality for OEMs to design medical device software such that to the extent possible, cybersecurity threats are mitigated upfront, and to collaborate with all stakeholders, including health care establishments, healthcare providers, and independent service organizations to identify and address cybersecurity vulnerabilities through the device lifecycle. Moreover, the FDA’s guidance reflects that changes to software are more likely to be considered “remanufacturing” rather than merely “servicing,” and are thus subject to additional requirements.

In addition to its recent draft guidance and discussion paper, the FDA has also appointed Dr. Kevin Fu as the agency’s first acting director of medical device cybersecurity. Dr. Fu has stated that he anticipates the FDA will issue an updated draft version of the premarket cybersecurity guidance for OEMs to take into consideration while designing software for medical devices. (See Nancy Crotti, “New FDA Medtech Cybersecurity Chief Expects Guidance to Debut this Year,” (Feb. 19, 2021), (hereinafter “Crotti”); see alsoKevin Fu fills new leadership position at FDA’s Center for Devices and Radiological Health, overseeing medical device security”). The existing final version of the guidance was finalized in October 2014, and the FDA issued subsequent draft guidance on the same topic in October 2018.

This insight (1) highlights the key takeaways from the Draft Remanufacturing Guidance and Cybersecurity Discussion Paper, and (2) discusses what to expect from FDA’s forthcoming updated premarket cybersecurity guidance.


While a detailed discussion of the FDA’s publications is provided below, the top-line recommendations for OEMs, in light of the FDA’s guidance, include the following:

  • Incorporate procedures that would make the software both trustworthy and resilient. Trustworthiness may require the use of authentication and encryption technology. Resilience may require fall back to a safe mode in the case of a cyberattack that infiltrates the system.
  • Consider making your software design and update practices transparent. Transparency may require timely notification of a newly discovered attack and timely security updates.
  • Include in the design and implementation of the software a specification of cybersecurity features and validation of those features, and a Cybersecurity Bill of Materials (“CBOM”), preferably cross-linked to a vulnerability database (e.g., the National Vulnerability Database (NVD)). The specification may be based on threat modeling and security risk assessments.
  • Regularly employ static and/or dynamic vulnerability testing of the software.

If you are an entity providing a maintenance service for a medical device that includes software, it is worth considering, in light of FDA’s Cybersecurity Discussion Paper, the following:

  • Report any known or suspected incidents of cyberattacks to the OEMs and/or remanufacturers as soon as possible.
  • Update software in a secure manner.


The FDA’s Draft Remanufacturing Guidance draws clear distinctions between the act of “remanufacturing” and the act of “servicing” a medical device. One key takeaway is that changes to software generally are likelier to be considered remanufacturing compared to changes to hardware, which are likelier to be considered merely servicing. For software engineers, this classification is important, as “remanufacturers” are subject to different — and higher — default burdens regarding building security into devices. The Draft Remanufacturing Guidance provides the following specifics regarding this distinction:

  • The FDA describes remanufacturing as “the processing, conditioning, renovating, repackaging, restoring, or any other act done to a finished device that significantly changes the finished device’s performance or safety specifications, or intended use.” (Draft Remanufacturing Guidance at 3 (emphasis added)).
  • Servicing, on the other hand, means the repair and/or preventive or routine maintenance of one or more parts in a finished device, after distribution, for purposes of returning it to the safety and performance specifications established by the OEM and to meet its original intended use.” (Id. (emphasis added)).

The FDA provides a flow chart to aid in the classification of an entity as a remanufacturer or as a servicing entity, when that entity makes non-software changes to a medical device. (See Id. at 8, 9, and 11 (Figure 1); see also Id. at 3 (describing that the actions performed by an entity, and not the entities self-designation, guide the classification)). The FDA stresses that the flow chart “and its accompanying text should not be applied to changes involving software.” (Id. at 15; see also Id. at 8).

Many software changes, the agency explains, would likely be considered remanufacturing — not servicing — due to the “impact on a product’s software architecture, software requirements specifications, unresolved anomalies, and other key characteristics.” (Id. at 15-16). The FDA notes, however, that activities like assessments for viruses, malware, and other cybersecurity issues, or installing cybersecurity updates, would not be considered remanufacturing, because “they generally do not significantly change the performance or safety specifications of the device.” (Id. at 16). Service providers should document their rationale for why their work is not remanufacturing, consistent with the Draft Remanufacturing Guidance. Servicers should also understand that the FDA encourages servicers to work with OEMs (see Cybersecurity Discussion…


Read More:Mitigation of Cybersecurity Risks in Medical Device Software: FDA Discussion & Insights

Products You May Like