前言

虽然FDA发布《医疗器械网络安全：质量体系考量与上市前申报资料内容》最终指南已经1年半了，但是还是有很多企业对于FDA对于网络安全的要求不清楚，其实2024年FDA专门发布过一个医疗设备网络安全常见问题解答（FAQs）共计回答了9个问题，可以解决不少疑问，下面我们就将这个链接的内容原文+翻译的形式展示出来，同时我还编写了一个针对每个问题加上了解决方案的版本，如果有需要可以扫描上面二维码加微信获取。如果想了解更多的话题，可以在公众号后台进行留言。

原文链接

https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity-medical-devices-frequently-asked-questions-faqs#6854de5caa0e0

正文

This page provides answers to frequently asked questions (FAQs) related to cybersecurity in medical devices.

本页面提供了与医疗设备网络安全相关的常见问题（FAQ）解答。

On December 29, 2022, the Consolidated Appropriations Act, 2023 ("Omnibus") was signed into law. Section 3305 of the Omnibus—"Ensuring Cybersecurity of Medical Devices"—amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices. The information provided on this page may be useful for sponsors in preparing their premarket submissions.

2022 年 12 月 29 日，《2023 年综合拨款法案》（“综合法案”）签署成为法律。综合法案第 3305 条——“确保医疗器械的网络安全”——通过增加第 524B 条“确保设备的网络安全”，对《联邦食品、药品和化妆品法案》（FD&C 法案）进行了修订。本页面提供的信息可能有助于申办者准备上市前提交的材料。

Q1: Who is required to comply with section 524B of the FD&C Act? What types of premarket submissions does this apply to?

问题 1：哪些主体需要遵守《联邦食品、药品和化妆品法案》第 524B 节的规定？该规定适用于哪些类型的上市前申报？

A:  Under section 524B(a) of the FD&C Act, a person who submits a premarket application or submission— including 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE)— for a device that meets the definition of a cyber device, as defined under section 524B(c), is required to submit information to ensure that cyber devices meet the cybersecurity requirements under section 524B(b). This includes Special and Abbreviated 510（k） applications as well as PMA and HDE supplements.

A：根据《联邦食品、药品和化妆品法案》第 524B（a）条，对于符合第 524B（c）条所定义的网络设备定义的器械，提交上市前申请或申报材料（包括 510（k）、上市前批准申请（PMA）、产品开发协议（PDP）、全新分类（De Novo）或人道主义器械豁免（HDE））的个人，必须提交信息，以确保网络设备符合第 524B（b）条规定的网络安全要求。这包括特殊和简化的 510（k）申请以及 PMA 和 HDE 补充材料。

Q2: What is a cyber device?

问题 2：什么是网络设备？

A:  Section 524B(c) of the FD&C Act defines "cyber device" as a device that (1) includes software validated, installed, or authorized by the sponsor as a device or in a device, (2) has the ability to connect to the internet, and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats. If manufacturers are unsure as to whether their device is a cyber device， they may contact the FDA.

A： 《联邦食品、药品和化妆品法案》第 524B（c） 节将“网络设备”定义为具备以下特征的设备：（1）包含由申办者验证、安装或授权作为设备或在设备内的软件；（2）具备连接互联网的能力；（3）包含任何由申办者验证、安装或授权的此类技术特征，且这些特征可能易受网络安全威胁影响。如果制造商不确定其设备是否属于网络设备，可联系美国食品药品监督管理局（FDA）。

Q3: Does this law only apply to future medical devices, rather than retroactively?

问题 3：这项法律仅适用于未来的医疗器械，而不具有追溯力吗？

A:  As provided by the Omnibus, the cybersecurity requirements do not apply to an application or submission submitted to the Food and Drug Administration (FDA) before March 29, 2023. If a cyber device was previously authorized， and the manufacturer is making a change to the device that requires premarket review by the agency， the law would apply for the new premarket submission.

A： 根据《综合拨款法案》的规定，网络安全要求不适用于 2023 年 3 月 29 日之前提交给美国食品药品监督管理局（FDA）的申请或材料。如果一款网络设备此前已获批准，而制造商对该设备进行更改，且该更改需要由 FDA 进行上市前审查，那么这项法律将适用于新的上市前申请材料。

Q4: What requirements apply to manufacturers of cyber devices under section 524B of the FD&C Act?

问题 4：《联邦食品、药品和化妆品法案》第 524B 条对网络设备制造商有哪些要求？

A:  Section 524B(a) of the FD&C Act provides that the sponsor of a premarket submission for a cyber device must include information to demonstrate that the cyber device meets the cybersecurity requirements in section 524B(b) of the FD&C Act. The requirements in section 524B（b） of the FD&C Act are:

A: 《联邦食品、药品和化妆品法案》第 524B（a）条规定，网络设备上市前申报的申办者必须提供信息，以证明该网络设备符合《联邦食品、药品和化妆品法案》第 524B（b）条中的网络安全要求。《联邦食品、药品和化妆品法案》第 524B（b）条中的要求如下：

• Submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;提交一份计划，以便在合理时间内酌情监测、识别和处理上市后网络安全漏洞及利用情况，包括协调漏洞披露及相关程序；
• Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems; and 设计、开发和维护流程与程序，以合理确保设备及相关系统的网络安全，并为设备及相关系统提供上市后更新和补丁；并且
• Provide a software bill of materials， including commercial， open-source， and off-the-shelf software components 提供一份软件物料清单，包括商业软件、开源软件和现成的软件组件。

The FDA may also issue regulations with other requirements to demonstrate reasonable assurance that the device and related systems are cybersecure. See FAQs 6 through 9 for additional details on ways manufacturers might demonstrate that their devices are cybersecure.

美国食品药品监督管理局（FDA）也可能发布带有其他要求的法规，以证明设备及相关系统具备合理的网络安全保障。有关制造商证明其设备具备网络安全保障的方法的更多详细信息，请参阅常见问题解答 6 至 9。

Q5: When do manufacturers of cyber devices have to submit the information described in section 524B?

问题 5：网络设备制造商何时需要提交《联邦食品、药品和化妆品法案》第 524B 节所述的信息？

A: Manufacturers of cyber devices are required to submit this information starting March 29, 2023, in premarket submissions including 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, or Humanitarian Device Exemption (HDE). This includes Abbreviated and Special 510(k) submissions and PMA/HDE supplements. Premarket submissions that were received prior to March 29， 2023， and are under review or currently on hold are not subject to these requirements.

A： 自 2023 年 3 月 29 日起，网络设备制造商需在上市前提交的材料中提供该信息，这些材料包括 510（k）申请、上市前批准申请（PMA）、产品开发协议（PDP）、De Novo 申请或人道主义器械豁免（HDE）申请。这包括简化版和特殊版 510（k）申请以及 PMA/HDE 补充材料。2023 年 3 月 29 日之前收到且正在审核或目前处于搁置状态的上市前提交材料不受这些要求的约束。

The Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions final guidance does not supersede the previously issued guidance Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems

《医疗器械网络安全：质量体系考量与上市前申报资料内容》最终指南并未取代之前发布的《医疗器械网络安全：网络设备及相关系统拒受政策》指南。

External Link Disclaimer, however, the policy in the latter guidance expired on October 1, 2023. Beginning October 1, 2023, the FDA expects that sponsors of cyber devices will have had sufficient time to prepare premarket submissions that contain information required by section 524B of the FD&C Act.

然而，后一份指南中的政策于 2023 年 10 月 1 日到期。自 2023 年 10 月 1 日起，美国食品药品监督管理局（FDA）预计，网络设备的申办者将有足够的时间准备包含《联邦食品、药品和化妆品法案》（FD&C Act）第 524B 节所要求信息的上市前申报材料。

Additionally, as part of the FDA’s efforts to modernize the 510(k) Program and implement MDUFA V, starting October 1, 2023, all 510(k) submissions, unless exempted, must be submitted as electronic submissions using eSTAR, as noted in the Electronic Submission Template for Medical Device 510(k) Submissions final guidance. For eSTAR submissions, an eSTAR will be put on a Technical Screening hold if it does not contain accurate responses and relevant attachments in the Cybersecurity section of eSTAR.

此外，作为美国食品药品监督管理局（FDA）推动 510（k）计划现代化以及实施《医疗器械用户费法案》第五版（MDUFA V）工作的一部分，自 2023 年 10 月 1 日起，除非获得豁免，所有 510（k）提交申请都必须按照《医疗器械 510（k）提交申请的电子提交模板》最终指南中的说明，通过电子提交系统（eSTAR）进行电子提交。对于通过 eSTAR 提交的申请，如果在 eSTAR 的网络安全部分未提供准确回复及相关附件，该申请将被置于技术筛查搁置状态。

Q6: Section 524B(b)(1) of the FD&C Act requires manufacturers of cyber devices to submit plans to manage vulnerabilities and exploits as part of their premarket submissions. What resources are available to manufacturers?

问题 6：《联邦食品、药品和化妆品法案》第 524B（b）（1）条要求网络设备制造商在上市前提交的材料中，纳入管理漏洞和利用情况的计划。制造商可以获取哪些资源？

A: : The 2023 guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions and the 2016 guidance Postmarket Management of Cybersecurity in Medical Devices describe recommendations for managing cybersecurity after the device has been introduced into the market.

A： ：2023 年指南《医疗器械网络安全：质量体系考量与上市前申报资料内容》以及 2016 年指南《医疗器械网络安全的上市后管理》介绍了器械上市后网络安全管理的相关建议。

Q7: Section 524B(b)(2) of the FD&C Act requires, among other aspects, that manufacturers of cyber devices design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure. What resources are available to manufacturers?

问题 7：《联邦食品、药品和化妆品法案》第 524B（b）（2）条规定，除其他方面外，网络设备制造商应设计、开发并维护相关流程和程序，以合理确保设备及相关系统的网络安全。制造商可以利用哪些资源？

A: The 2023 guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions provides recommendations on cybersecurity considerations for devices and provides recommendations for documentation in device premarket submissions that may help manufacturers meet their obligations with the 524B（b）（2） requirements.

A： 2023 年发布的指南《医疗器械网络安全：质量体系考量因素与上市前申报资料内容》针对器械的网络安全考量因素提出建议，并就器械上市前申报资料中的文件编制提供建议，这可能有助于制造商履行 524B（b）（2）规定的义务。

Q8: Section 524B(b)(2) of the FD&C Act also requires manufacturers of cyber devices to make available postmarket updates and patches to the device and related systems to address vulnerabilities. What resources are available to manufacturers?

问题 8：《联邦食品、药品和化妆品法案》第 524B（b）（2）条还要求网络设备制造商提供设备及相关系统的上市后更新和补丁，以解决安全漏洞。制造商可以利用哪些资源？

A: The 2023 guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions discusses throughout plans for patches and updates across the total product life cycle (TPLC). The 2016 guidance "Postmarket Management of Cybersecurity in Medical Devices" discusses cybersecurity routine updates and patches and describes patching in the context of remediating cybersecurity vulnerabilities.

A： 2023 年发布的指南《医疗器械网络安全：质量体系考量因素与上市前申报资料内容》通篇讨论了整个产品生命周期（TPLC）内的补丁与更新计划。2016 年发布的指南《医疗器械网络安全的上市后管理》讨论了网络安全定期更新和补丁，并在修复网络安全漏洞的背景下对打补丁进行了描述。

Q9: Section 524B(b)(3) of the FD&C Act requires that manufacturers of cyber devices provide a software bill of materials (SBOM) for the commercial, open-source, and off-the-shelf software components contained within the device. What resources are available to manufacturers?

问题 9：《联邦食品、药品和化妆品法案》第 524B（b）（3）条要求网络设备制造商为设备中包含的商业软件、开源软件和现成软件组件提供软件物料清单（SBOM）。制造商可以利用哪些资源？

A: The 2023 guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions discusses SBOMs in Section V.A.4(b). Additional information about SBOMs can be found in the October 2021 National Telecommunications and Information Administration (NTIA) Multistakeholder Process on Software Component Transparency document Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM).

A: 2023 年发布的指南《医疗器械网络安全：质量体系考量因素及上市前申报资料内容》在第五部分 A.4（b）节讨论了软件物料清单。有关软件物料清单的更多信息，可查阅 2021 年 10 月美国国家电信和信息管理局（NTIA）多利益相关方流程发布的《构建软件组件透明度：建立通用软件物料清单（SBOM）》文档。