The Secure Product Development Framework and Medical Device Cybersecurity

Medical device cybersecurity welcomed a new era with the Food and Drug Administration (FDA) updated guidance in 2023. Part of this document was the recommendation to implement and adopt a Secure Product Development Framework (SPDF).

SPDF isn’t a new mechanism in cybersecurity. However, this is the first time the FDA has defined it to satisfy the Quality System (QS) regulation. Let’s review the FDA’s SPDF interpretations and how they apply to QS.

What Is SPDF?

SPDF is a set of processes that can reduce the number and severity of vulnerabilities within a product during its lifecycle.

There are five components within SPDF as it relates to each product lifecycle stage:

• Risk management: Involves identifying, evaluating, and mitigating cybersecurity risk and should be proactive
• Design and development controls: Emphasizes integrating security controls into the design and development phase
• Information security management: Establishes policies and controls for safeguarding data
• Secure communications: Protects data in transit to avoid breaches
• Postmarket surveillance and response: Encompasses continuous monitoring of devices and the deployment of patches

What Is the QS Regulation?

The QS regulation is the section of FDA 21 CFR Part 820 that defines medical device quality and safety requirements. It includes a framework for basic protocols that manufacturers should use.

The new FDA rules amended this provision, which will be enforceable beginning February 2, 2026. Notable changes include:

• Emphasizing risk-based decision-making
• Removing exceptions that previously shielded management reviews, quality audits, and supplier audit reports
• The relevancy of QS requirements may pertain to premarket, postmarket, or both.

How Does SPDF Satisfy the QS Regulation?

Within the FDA guidance, the agency specifically calls out how SPDF fulfills the QS regulation. Since SPDF covers the entire lifecycle of the product, it’s a fitting framework for cybersecurity.

The key objective of using an SPDF is the discoverability of vulnerabilities early and often. Doing so keeps devices cyber secure. A considerable advantage of an SPDF is that it transforms the development environment into one that’s secure by design, which means security is at the forefront in the beginning.

How Can You Use SPDF to Manage Cybersecurity Risks?

Implementing an SPDF leads to more resilient and trustworthy devices. Monitoring their cyber footprint and risks becomes much easier if they are secure by design. It also introduces flexibility into the design of devices, which may be necessary as new risks emerge.

The FDA’s focus on SPDF includes:

Security Risk Management

Using SPDF in risk management encompasses exposing how threats through vulnerabilities can occur. The FDA established the security risk management processes within the QS regulation.

With SPDF as a framework, you can define risk evaluation methods, make conclusions on risk propensity, activate risk mitigation, and provide traceability. The key parts of security risk management that align with SPDF include:

• Threat modeling
• Risk assessments
• Interoperability considerations
• Third-party software
• Security assessments of unresolved anomalies
• Total product lifecycle (TPLC) security risk management

Security Architecture

Security architecture is the next piece of the SPDF for medical devices. The FDA requires documentation of this. First, you need to implement security controls, such as authentication, authorization, cryptography, and code, data, and execution integrity.

In addition to design controls, the FDA requires manufacturers to establish and maintain processes for preventive action with attention to view in the premarket submission for global systems, multi-patient harm, patchability, and security use cases.

Cybersecurity Testing

The final piece of the SPDF recommendations is testing. Testing should enforce the effectiveness of the design controls. The FDA suggests verification and validation through testing to provide evidence for:

• Security design implementation success
• Threat models working effectively to control risk

As noted by the FDA, the means for testing are vulnerability and penetration testing. These tactics support proactive cybersecurity and should be continuous in the medical device’s lifecycle.

Medical device cybersecurity has become more complex. This trajectory will continue as new threats emerge and cybercriminals evolve. Applying an SPDF is another way to layer security, providing a unique lens for visibility across the entire risk landscape. Establishing and continuously improving this framework enables you to keep pace with regulations and threat actors.