The FDA Cybersecurity Guidance and the GxP Cloud

Posted by Rebecca Santorios on January 7, 2016


The team at ByteGrid has been implementing and validating FDA-compliant computer systems for years. Our regulatory team has achieved FDA acceptance for medical device software and other GxP regulated computer systems for a multitude of platforms, including complex, networked systems.

Now that the FDA has finalized their Guidance for Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, let's look at some of the ways GxP cloud hosting can help medical device manufacturers adhere to agency recommendations.

Who's Affected

The guidance addresses any medical devices "that contain software (including firmware) or programmable logic as well as software that is a medical device." While not all of these are cloud-based, many can be, especially medical device software deployed as SaaS.

Guidance Highlights

The guidance is intended to help device manufacturers ensure that their regulatory submissions provide assurance that they've implemented cybersecurity management sufficiently to "reduce the risk to patients by decreasing the likelihood that device functionality is intentionally or unintentionally compromised by inadequate cybersecurity". If you're using cloud services to deploy your device, you'll want to pay special attention to the guidance's recommendations that pertain to your infrastructure.

Risk Assessment

The FDA requires a documented risk assessment is required for medical devices by 21 CFR 820.30(g), and this is one of the first places where you'll see the IT infrastructure appear. The guidance recommends that device manufacturers include the following in their risk assessment:

  • Identification of assets, threats, and vulnerabilities;
  • Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients;
  • Assessment of the likelihood of a threat and of a vulnerability being exploited;
  • Determination of risk levels and suitable mitigation strategies;
  • Assessment of residual risk and risk acceptance criteria.

Expect to cover things like physical security, firewalls and virus protection in your risk assessment. With GxP compliant hosting, your infrastructure will include all of these, implemented, documented, and validated to agency expectations.

Regulatory Submission

Perhaps the most important part of the guidance is its list of specific contents to be included in a PMA. Specifically, the guidance recommends that a PMA include:

  • A hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with the device
  • A traceability matrix that links actual cybersecurity controls to the cybersecurity risks that were considered
  • A summary describing the plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device
  • A summary describing controls that are in place to assure that the medical device software will maintain its integrity (e.g. remain free of malware) from the point of origin to the point at which that device leaves the control of the manufacturer
  • Product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g. anti-virus software, use of firewall).

Can you prepare all of these to agency standards? ByteGrid has laid the foundation with our fully validated, GxP compliant cloud. You'll need to tie this together with your specific software and its intended use. Our team of regulatory experts can help you achieve this. We have years of experience successfully validating systems and achieving FDA acceptance.

GxP Cloud Hosting

ByteGrid is GxP compliant from the ground up. We have a mature quality system, and all of the required supporting systems, developed in full compliance to medical device Quality System Regulations. Contact us today to schedule an audit of our validated GxP data center.