Cybersecurity Patches Are Actually Design Changes

Cybersecurity patches — both proactive to address potential threats and reactive to respond to threats that have already occurred — can be expected to be part of any connected device’s lifecycle. But in the medical device world, these patches constitute design changes, which are strictly regulated, says Eric Henry, a senior quality systems and compliance adviser in the law firm King & Spalding.

When applying a cybersecurity patch, the devicemaker must treat it like a design change, explains Henry, in the book Designing Secure Medical Devices: Building Cybersecurity into the Development Process from FDAnews, a WCG company.

The FDA’s Quality System Regulation (QSR) mandates that devicemakers have procedures for documenting, verifying and validating all design changes before they are implemented. These procedures must ensure that the original design requirements — regulatory, user and system — are still met after the change has been made to the device.

Excerpted from the FDAnews book, “Designing Secure Medical Devices: Building Cybersecurity into the Development Process.” Access the book here.

To read the full story, click here to subscribe.

Related Topics