Is my device a cyber device?
According to the FDA medical device cybersecurity FAQS as of October 12, 2023:
Section 524B(c) of the FD&C Act defines "cyber device" as a device that (1) includes software validated, installed, or authorized by the sponsor as a device or in a device, (2) has the ability to connect to the internet, and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats. If manufacturers are unsure as to whether their device is a cyber device, they may contact the FDA.
This means that if you device has an electronic interface of any type, such as wi-fi or USB, regardless of whether it was intended to be connected to the internet or not, you need to provide proof that the device cannot be connected to the internet.
Medcrypt expert tip: Your device is considered to be connectable unless you can prove otherwise via threat modeling and a Secure Product Development Framework. If you didn't design it specifically to not be connected, then it can be. If, in your eSTAR submission, you have a USB port that you do not report, but the FDA reviewer does a quick search for USB and finds this discrepancy, they will put an automatic hold on your submission. Don't feel comfortable going this alone? You don't have to! Contact us so we can optimize your FDA readiness.
Risks increase if the device contains one or more of these interfaces:
Wired: USB, ethernet, RF, inductive, cloud, etc.
Wireless: wi-fi, Bluetooth, RF, inductive, cloud, etc.
Cybersecurity considerations apply for the entire system, not just the end device. Examples include:
Software update infrastructure
Cloud applications
Commercial devices (phones, tablets, computers, etc.)
Last updated