Cybersecurity in Medical Devices: Definitions from FDA's Draft Guidance

January 20, 2016

Compensating Controls:

“A safeguard or countermeasure, external to the device, employed by a user in lieu of, or in the absence of sufficient controls that were designed in by a device manufacturer, and that provides supplementary or comparable cyber protection for a medical device.”

Controlled Risk:

“Present when there is sufficiently low (acceptable) residual risk that the device’s essential clinical performance could be compromised by a cybersecurity vulnerability.”

Cybersecurity Routine Updates and Patches:

“Updates or patches to a device to increase device security and/or remediate vulnerabilities associated with controlled risk and not to reduce a risk to health or correct a violation of the FD&C Act.”

Cybersecurity Signal:

“Any information which indicates the potential for, or confirmation of, a cybersecurity vulnerability or exploit that affects, or could affect a medical device.”

Essential Clinical Performance:

This concept was developed for the purpose of this guidance and means “performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer.”


“An instance where a vulnerability or vulnerabilities have been exercised (accidentally or intentionally) and could impact the essential clinical performance of a medical device or use a medical device as a vector to compromise the performance of a connected device or system.”


“Any action(s) taken to reduce the risk to the medical device’s essential clinical performance to an acceptable level. Remediation actions may include complete solutions to remove a cybersecurity vulnerability from a medical device (sometimes known as official fix) or compensating controls that adequately mitigate the risk (e.g., notification to customer base and user community identifying a temporary fix, or work-around).”


“Any circumstance or event with the potential to adversely impact the essential clinical performance of the device, organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, or other organizations through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.”

Threat Modeling:

“A methodology for optimizing Network/Application/Internet Security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system. For medical devices, threat modeling can be used to optimize mitigations by identifying vulnerabilities and threats to a particular product, products in a product line, or from the organization’s supply chain that can adversely affect patient safety.”

Uncontrolled Risk:

“Present when there is unacceptable residual risk that the device’s essential clinical performance could be compromised due to insufficient compensating controls and risk mitigations.”


“A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat.”

For more information on FDA recommendations for postmarket management of cybersecurity in medical devices, view our FDA News article.

As stated in the FDA’s draft guidance entitled, “Postmarket Management of Cybersecurity in Medical Devices.”

Medical Device Agency Alerts

January 20, 2016

FDA Considers Moving Medical Device Submissions to Electronic Format

On Thursday, September 13th, FDA published a proposed rule which would amend the current premarket submission requirements for medical devices. Background In July 2012, the Food and Drug...

Read More
Quality & Compliance Agency Alerts

January 20, 2016

FDA Guidance: Design & Analysis of Shedding Studies During Preclinical & Clinical Development

Recently, FDA published a guidance (entitled “Design and Analysis of Shedding Studies for Virus or Bacteria-Based Gene Therapy and Oncolytic Products”) providing sponsors with recommendations on how...

Read More
Agency Alerts General Regulatory

January 20, 2016

Will FDA Change the Definition of “Intended Use”?

FDA released proposed regulation that would allow sponsors to determine if their product is a drug/device, or if it is not a drug/device. Last week, the Agency announced a proposed rule “to provide...

Read More