Comply with FDA Device Security Requirements


On September 27, 2023, the Food and Drug Administration (FDA) finalized it's cybersecurity guidance for medical devices titled, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (link (opens in a new tab)). Medical devices under review for FDA clearance use the published guidance as a framework to demonstrate that effective policies and processes will be in place to maintain security throughout the devices product lifecycle. The following table is intended to help organizations trace their own internal practices to the controls defined by the FDA.

Table of Controls

The following table maps all current FDA cybersecyrity documents and they controls they require.

IDCategoryFDA RequirementRegulatory Mapping
1AuthenticationAvoid the use of implicit authentication mechanisms (ie. trusted IP addresses and handshakes that do not rely on cryptographic secrets).US FDA 2023 - Premarket
2AuthenticationUse cryptographic authentication protocolsUS FDA 2023 - Premarket
3AuthenticationUse cryptographically strong authentication, where the authentication functionality resides on the device, to authenticate personnel, messages, commands updates, and as applicable, all other communication pathways. Hardware-based security solutions should be considered and employed when possibleUS FDA 2023 - Premarket
4AuthenticationAuthenticate external connections at a frequency commensurate with the associated risks. For example, if a device connects to an offsite server, then the device and the server should mutually authenticate each session and limit the duration of the session, even if the connection is initiated over one or more existing trusted channels.US FDA 2023 - Premarket
5AuthenticationUse appropriate user authentication (e.g., multi-factor authentication to permit privileged device access to system administrators, service technicians, or maintenance personnel, among others, as needed)US FDA 2023 - Premarket
6AuthenticationRequire authentication, and authorization in certain instances, before permitting software or firmware updates, including those updates affecting the operating system, applications, and anti-malware functionalityUS FDA 2023 - Premarket
7AuthenticationStrengthen password protections. Do not use passwords that are hardcoded, default, easily guessed, or easily compromised (e.g., passwords that are the same for each device; unchangeable; can persist as default; difficult to change; and/or vulnerable to public disclosure)US FDA 2023 - Premarket
8AuthenticationImplement anti-replay measures in critical communications such as potentially harmful commands. This can be accomplished with the use of several methods including the use of cryptographic nonces (an arbitrary number used only once in a cryptographic communication)US FDA 2023 - Premarket
9AuthenticationProvide mechanisms for verifying the authenticity of information originating from the device, such as telemetry. This is especially important for data that, if spoofed or otherwise modified, could result in patient harm, such as the link between a clinician programmer or monitoring device and an implanted device like a pacemaker, defibrillator, or neurostimulator; or the link between a continuous glucose monitor system and an automated insulin pumpUS FDA 2023 - Premarket
10AuthenticationDo not rely on cyclic redundancy checks (CRCs) as security controls. CRCs do not provide integrity or authentication protections in a security environment. While CRCs are an error detecting code and provide integrity protection against environmental factors (e.g., noise or EMC), they do not provide protections against an intentional or malicious actorUS FDA 2023 - Premarket
11AuthenticationConsider how the device and/or system should respond in event of authentication failure(s)US FDA 2023 - Premarket
12AuthorizationLimit authorized access to devices through the authentication of users (e.g., user ID and password, smartcard, biometric, certificates, or other appropriate authentication method)US FDA 2023 - Premarket
13AuthorizationUse automatic timed methods to terminate sessions within the medical device system where appropriate for the use environmentUS FDA 2023 - Premarket
14AuthorizationEmploy an authorization model that incorporates the principle of least privileges by differentiating privileges based on the user role (e.g., caregiver, patient, healthcare provider, system administrator) or device functionsUS FDA 2023 - Premarket
15AuthorizationDesign devices to “deny by default” (i.e., that which is not expressly permitted by a device is denied by default). For example, the device should generally reject all unauthorized connections (e.g., incoming TCP, USB, Bluetooth, serial connections). Ignoring requests is one form of denying authorization.US FDA 2023 - Premarket
16CryptographySelect industry-standard cryptographic algorithms and protocols, and select appropriate key generation, distribution, management and protection, as well as robust nonce mechanisms.US FDA 2023 - Premarket
17CryptographyUse current NIST recommended standards for cryptography (e.g., FIPS 140-3, NIST Suite B), or equivalent-strength cryptographic protection that are expected to be considered cryptographically strong throughout the service life of the device. Manufacturers should not implement cryptographic algorithms that have been deprecated or disallowed in applicable standards or best practices (e.g., NIST SP 800-131A, Transitioning the Use of Cryptographic Algorithms and Key Lengths). Implementation of algorithms with a status of “legacy use” should be discussed with FDA during a pre-submission meetingUS FDA 2023 - Premarket
18CryptographyDesign a system architecture and implement security controls to prevent a situation where the full compromise of any single device can result in the ability to reveal keys for other devices. For example, avoid using master-keys stored on device, or key derivation algorithms based solely on device identifiers or other readily discoverable information.US FDA 2023 - Premarket
19CryptographyImplement cryptographic protocols that permit negotiated parameters/versions such that the most recent, secure configurations are used, unless otherwise necessaryUS FDA 2023 - Premarket
20CryptographyDo not allow downgrades, or version rollbacks, unless absolutely necessary for safety reasons, and log and document the event. Downgrades can allow attackers to exploit prior, less protected versions and should be avoidedUS FDA 2023 - Premarket
21Code, Data, and Execution IntegrityHardware-based security solutions should be considered and employed when possibleUS FDA 2023 - Premarket
22Code, Data, and Execution IntegrityAuthenticate firmware and software. Verify authentication tags (e.g., signatures, message authentication codes (MACs)) of software/firmware content, version numbers, and other metadata. The version numbers intended to be installed should themselves be signed or have MACs. Devices should be electronically and visibly identifiable (e.g., Unique device identifier (UDI), model number, serial number);US FDA 2023 - Premarket
23Code, Data, and Execution IntegrityAllow installation of cryptographically authenticated firmware and software updates, and do not allow installation where such cryptographic authentication either is absent or failsUS FDA 2023 - Premarket
24Code, Data, and Execution IntegrityEnsure that all software and firmware on the device is protected from unauthorized access, modification, and deletion, regardless of whether the software and firmware resides within a virtual private network (VPN) or on the cloud. Maintain all software and firmware in a secure environment and perform routine security updates. Encrypt all software updates prior to transmission.US FDA 2023 - Premarket
25Code, Data, and Execution IntegrityEnsure that all software/firmware changes are tracked and that the appropriate personnel review and approve these changes prior to implementation. Software or firmware changes that are not approved should not be allowed to execute. A cryptographic mechanism such as digital signatures should be used to ensure software/firmware integrity (e.g., during updates or during execution) and to confirm that the software/firmware originates from a known source, is up-to-date, and has not been tampered withUS FDA 2023 - Premarket
26Code, Data, and Execution IntegrityProvide secure coding guidance to developers (e.g., guidance from the FDA, NIST, ISO, IEEE, etc.) and encourage compliance with industry-recognized secure coding standards. Review the software design and coding process for security vulnerabilities, especially those resulting from faulty design, implementation, or integrationUS FDA 2023 - Premarket
27Code, Data, and Execution IntegrityImplement and maintain secure software development lifecycle practices throughout the entire lifecycle of the device (e.g., requirements definition, design, implementation, verification, maintenance, and retirement)US FDA 2023 - Premarket
28Code, Data, and Execution IntegrityIncorporate security features into the design of the device, such as data execution prevention (DEP), address space layout randomization (ASLR), and stack overflow protections. These protections are intended to mitigate the risk of common software security vulnerabilities.US FDA 2023 - Premarket
29Code, Data, and Execution IntegrityUse hardware features designed to support security in depth, such as trusted platform modules (TPMs), secure enclaves, and hardware root of trustUS FDA 2023 - Premarket
30Code, Data, and Execution IntegrityDesign and implement software/firmware updates to be secure by design. Ensure that updates can be verified for integrity, that they are resistant to man-in-the-middle attacks, and that updates are obtained from an authenticated source. Consider using secure boot mechanisms and encrypted channels for secure software/firmware updatesUS FDA 2023 - Premarket
31Code, Data, and Execution IntegrityImplement runtime integrity protections to detect and prevent unauthorized changes to critical files, settings, and configurations. For example, deploy integrity monitoring solutions that can detect unauthorized changes to files, registry settings, and configuration parameters, and generate alerts or take other appropriate actions (e.g., halt, notify administrator)US FDA 2023 - Premarket
32Code, Data, and Execution IntegrityEmploy controls to protect against rollback of software/firmware updates to a less secure version. For example, use cryptographic hashes or signatures to ensure that software/firmware updates have not been tampered with and that only signed updates are accepted and appliedUS FDA 2023 - Premarket
33Code, Data, and Execution IntegrityImplement measures to mitigate the risk of supply chain compromises, including tamper-evident packaging, supply chain visibility, and vetting of suppliersUS FDA 2023 - Premarket
34Code, Data, and Execution IntegrityEnsure that all components, including open source and third-party software, are kept up-to-date with the latest security patches and updates. Establish a process for monitoring and applying patches and updates in a timely mannerUS FDA 2023 - Premarket
35Code, Data, and Execution IntegrityEnsure that code, data, and execution integrity mechanisms function properly throughout the lifecycle of the device. Test these mechanisms during design verification, validation, and during routine maintenanceUS FDA 2023 - Premarket
36Code, Data, and Execution IntegrityDevelop a response plan for addressing vulnerabilities discovered post-market and take appropriate corrective actions to mitigate risk, which may include software patches, firmware updates, or other remediation measures. Ensure that post-market vulnerability assessments and remediation efforts follow a risk-based approachUS FDA 2023 - Premarket
37ConfidentialityEnsure that sensitive data is encrypted both in transit and at rest using industry-standard encryption algorithms (e.g., AES, RSA, ECC) and appropriate key management practicesUS FDA 2023 - Premarket
38ConfidentialityProtect the confidentiality of sensitive data (e.g., patient information, device configurations, system logs) through access controls, encryption, and other appropriate means. Limit access to sensitive data to only those users and systems that require it for legitimate purposesUS FDA 2023 - Premarket
39ConfidentialityImplement logging mechanisms to record access to sensitive data, security-related events, and other relevant activities. Ensure that logs are protected from unauthorized access, tampering, and deletion. Periodically review and analyze logs for indications of security incidents, unauthorized access, or other anomaliesUS FDA 2023 - Premarket
40ConfidentialityProvide a mechanism to allow authorized users (e.g., system administrators, healthcare providers) to access audit logs for review and analysis. Ensure that audit logs capture key security events (e.g., logins, failed login attempts, privilege changes, configuration changes, critical system events)US FDA 2023 - Premarket
41ConfidentialityLimit the collection, storage, and transmission of personally identifiable information (PII) and other sensitive data to only what is necessary for the intended purpose of the device. Encrypt any stored or transmitted PII or sensitive dataUS FDA 2023 - Premarket
42ConfidentialityImplement appropriate access controls and authorization mechanisms to prevent unauthorized access to sensitive data. Enforce the principle of least privilege by granting users only the access necessary to perform their authorized functionsUS FDA 2023 - Premarket
43ConfidentialityEncrypt communication channels to prevent eavesdropping, tampering, and other unauthorized access. Use secure protocols (e.g., TLS) and strong cryptographic algorithms to protect data in transitUS FDA 2023 - Premarket
44ConfidentialityProtect sensitive data (e.g., PHI, PII) stored in the cloud by implementing appropriate security controls (e.g., encryption, access controls, data masking)US FDA 2023 - Premarket
45ConfidentialityEnsure that cloud service providers (CSPs) comply with applicable security and privacy regulations (e.g., HIPAA, GDPR) and provide assurances of compliance through contractual agreements, certifications, and third-party auditsUS FDA 2023 - Premarket
46IntegrityUse digital signatures, message authentication codes (MACs), or other cryptographic mechanisms to ensure the integrity of transmitted data, including commands, configuration data, and updatesUS FDA 2023 - Premarket
47IntegrityProtect against unauthorized modification of critical configuration settings, parameters, and other data that could affect the safety, effectiveness, or performance of the device. This includes preventing unauthorized changes to software, firmware, and hardware configurationsUS FDA 2023 - Premarket
48IntegrityValidate input data to ensure that it is well-formed, valid, and within acceptable ranges. Implement input validation controls to prevent buffer overflows, SQL injection, cross-site scripting (XSS), and other common attack vectorsUS FDA 2023 - Premarket
49IntegrityEmploy integrity checks and checksums to detect unauthorized changes to firmware, software, and critical data. Perform regular integrity checks during operation and upon startup to ensure that the device has not been tampered with or compromisedUS FDA 2023 - Premarket
50IntegrityImplement controls to ensure the integrity of critical processes, including those related to device operation, data handling, and system configuration. These controls should prevent unauthorized access, tampering, and other forms of interferenceUS FDA 2023 - Premarket
51IntegrityUse secure boot mechanisms to ensure that only trusted and authenticated firmware/software is loaded and executed on the device. Validate the integrity of firmware/software during the boot process and refuse to boot if the integrity checks failUS FDA 2023 - Premarket
52IntegrityUse hardware features such as secure boot, secure enclave, and hardware root of trust to protect against unauthorized modifications to firmware and critical system componentsUS FDA 2023 - Premarket
53IntegrityEmploy runtime integrity protections to detect and prevent unauthorized changes to critical files, settings, and configurations. Implement integrity monitoring solutions that can detect and respond to unauthorized changes in real-timeUS FDA 2023 - Premarket
54IntegrityUse cryptographic mechanisms to ensure the integrity of data stored in non-volatile memory (e.g., flash memory, EEPROM). Implement protections to prevent unauthorized modifications to stored data, including encryption, digital signatures, and access controlsUS FDA 2023 - Premarket
55Non-repudiationImplement mechanisms to ensure the integrity and authenticity of data generated by the device, such as timestamps, digital signatures, and cryptographic hashes. These mechanisms should be used to provide non-repudiation, ensuring that the origin and integrity of data can be verified and attributed to specific sourcesUS FDA 2023 - Premarket
56Non-repudiationEnsure that audit logs and other records of device activity are tamper-evident and resistant to modification. Use cryptographic techniques to protect the integrity of logs and to provide evidence of tampering or unauthorized accessUS FDA 2023 - Premarket
57Non-repudiationImplement controls to prevent the deletion, alteration, or tampering of audit logs and other records of device activity. Log entries should be time-stamped, and changes to logs should be logged and reviewedUS FDA 2023 - Premarket
58Non-repudiationEnsure that audit logs capture key security events (e.g., logins, failed login attempts, privilege changes, configuration changes, critical system events). Implement mechanisms to detect and respond to suspicious or anomalous behaviorUS FDA 2023 - Premarket
59Non-repudiationProvide a mechanism for authorized users (e.g., system administrators, healthcare providers) to review and analyze audit logs. Implement access controls to restrict access to audit logs to authorized personnelUS FDA 2023 - Premarket
60Non-repudiationUse cryptographic techniques to provide non-repudiation for device commands and actions. Digital signatures and other cryptographic mechanisms should be used to ensure that commands and actions can be attributed to specific users or entitiesUS FDA 2023 - Premarket
61ResilienceImplement resilience measures to ensure continued device functionality in the event of component failures, network interruptions, or other adverse conditions. This may include redundancy, failover mechanisms, and graceful degradation of non-essential servicesUS FDA 2023 - Premarket
62ResilienceDesign devices to recover gracefully from unexpected faults, errors, and exceptions. Implement error handling and recovery mechanisms to mitigate the impact of software bugs, hardware failures, and other faultsUS FDA 2023 - Premarket
63ResilienceEnsure that critical device functions (e.g., therapeutic delivery, patient monitoring) continue to operate correctly in the event of software or firmware failures. Implement safety-critical software in accordance with relevant standards (e.g., IEC 62304, ISO 14971) and perform thorough testing to validate safety and reliabilityUS FDA 2023 - Premarket
64ResilienceImplement robust error detection and correction mechanisms to prevent or mitigate data corruption, transmission errors, and other forms of data loss or degradation. Use error checking and correction (ECC) codes, checksums, and other techniques to detect and correct errors in data transmission and storageUS FDA 2023 - Premarket
65ResilienceUse redundant and diverse communication pathways (e.g., wired, wireless, cellular) to ensure continued connectivity in the event of network failures or disruptions. Implement failover mechanisms to automatically switch to alternate communication channels if primary channels become unavailableUS FDA 2023 - Premarket
66ResilienceEmploy backup and recovery mechanisms to protect against data loss and corruption. Regularly backup critical data and configurations, and test backup and recovery procedures to ensure their effectiveness. Store backups in a secure location, separate from the primary data storage, to prevent loss due to disasters or other catastrophic eventsUS FDA 2023 - Premarket
67ResilienceImplement mechanisms to detect and respond to abnormal system behavior, such as resource exhaustion, memory leaks, and process crashes. Use monitoring tools and diagnostic capabilities to identify and troubleshoot issues before they impact device functionalityUS FDA 2023 - Premarket
68ResilienceDesign devices to be modular and easily upgradeable to accommodate future enhancements and changes. Implement hot-swappable components and interfaces to minimize downtime during maintenance and upgradesUS FDA 2023 - Premarket
69ResilienceConduct thorough risk assessments and hazard analyses to identify potential failure modes, their impact on device performance, and mitigation strategies. Use failure mode and effects analysis (FMEA) and other risk management techniques to prioritize risks and develop resilience measuresUS FDA 2023 - Premarket
70ResilienceEstablish a robust incident response plan to address security breaches, device failures, and other adverse events. Define roles and responsibilities, escalation procedures, and communication protocols for responding to incidents in a timely and effective mannerUS FDA 2023 - Premarket
71Transparency and TraceabilityProvide transparent and accurate information about device security features, capabilities, and limitations to users, healthcare providers, regulators, and other stakeholders. Include security-related information in user manuals, labeling, and other documentation provided with the deviceUS FDA 2023 - Premarket
72Transparency and TraceabilityMaintain records of security-related activities, including security testing, vulnerability assessments, and remediation efforts. Keep documentation of security controls, configurations, and security incidents for auditing and regulatory purposesUS FDA 2023 - Premarket
73Transparency and TraceabilityEngage in proactive communication with customers and stakeholders regarding security vulnerabilities, patches, updates, and other security-related information. Establish channels for reporting security incidents, vulnerabilities, and concerns, and respond to reports in a timely and transparent mannerUS FDA 2023 - Premarket
74Transparency and TraceabilityProvide clear and concise security advisories and alerts to inform users and administrators about security vulnerabilities, patches, updates, and other relevant information. Make security advisories readily accessible through multiple channels (e.g., websites, email notifications, social media)US FDA 2023 - Premarket
75Transparency and TraceabilityMaintain a comprehensive inventory of all software and hardware components used in the device, including third-party libraries and dependencies. Keep records of version numbers, patch levels, and other relevant information to facilitate vulnerability management and risk assessmentUS FDA 2023 - Premarket
76Transparency and TraceabilityCollaborate with regulators, industry groups, and other stakeholders to share information and best practices for medical device security. Participate in working groups, standards development organizations, and other forums to contribute to the advancement of medical device cybersecurityUS FDA 2023 - Premarket
77Transparency and TraceabilityMaintain accurate and up-to-date documentation for the device, including design specifications, security architecture, threat models, risk assessments, and security testing reports. Make documentation available to authorized users, regulators, and other stakeholders upon requestUS FDA 2023 - Premarket
78Transparency and TraceabilityProvide mechanisms for reporting security vulnerabilities and concerns to the manufacturer, regulatory authorities, and other relevant organizations. Establish clear channels for receiving and triaging reports, and respond to reports in a timely and responsible mannerUS FDA 2023 - Premarket
79Transparency and TraceabilityImplement procedures for reviewing and assessing third-party products and services used in the development and operation of the device. Evaluate the security posture of third-party vendors and conduct due diligence to ensure that they meet security requirements and standardsUS FDA 2023 - Premarket
80Transparency and TraceabilityConduct regular security assessments and audits to evaluate the effectiveness of security controls, identify vulnerabilities, and validate compliance with security requirements and standards. Use the results of assessments to improve security posture and mitigate risksUS FDA 2023 - Premarket
81UsabilityDesign devices to be intuitive and easy to use, with clear and consistent user interfaces. Incorporate human factors engineering principles to optimize usability and minimize user errorsUS FDA 2023 - Premarket
82UsabilityProvide user training and education to ensure that users understand how to operate the device safely and securely. Develop user manuals, training materials, and other educational resources to support users in learning and using the device effectivelyUS FDA 2023 - Premarket
83UsabilityImplement access controls and authorization mechanisms that balance security requirements with usability. Ensure that users can access the functions and information they need to perform their tasks without unnecessary barriers or impedimentsUS FDA 2023 - Premarket
84UsabilityUse clear and informative error messages to communicate with users in the event of errors, warnings, or other system events. Provide guidance on how to resolve issues and take appropriate actionsUS FDA 2023 - Premarket
85UsabilityIncorporate feedback mechanisms to gather input from users and stakeholders about device usability, performance, and security. Use feedback to identify areas for improvement and inform future iterations of the deviceUS FDA 2023 - Premarket