About the Author
Proxima CRO Team
Isabella Schmitt, MBA, RAC
Director of Regulatory Affairs
Ms. Schmitt has also served in additional regulatory affairs and clinical research roles in which she contributed to multiple regulatory submissions and clinical affairs projects across a wide range of indications.
Tier 1 “Higher Cybersecurity Risk”

A device is a Tier 1 device if the following criteria are met:

  • The device is capable of connecting (wired or wirelessly) to another medical or non-medical product, or to a network, or to the Internet; AND
  • A cybersecurity incident affecting the device could directly result in patient harm to multiple patients

Examples include:

  • Implantable cardioverter defibrillators (ICDs)
  • Pacemakers
  • Left ventricular assist devices (LVADs)
  • Brain stimulators and neurostimulators
  • Dialysis devices
  • Infusion and insulin pumps, and the supporting connected systems that interact with these devices such as home monitors and those with command and control functionality such as programmers.
Tier 2 “Standard Cybersecurity Risk”

A medical device for which the criteria for a Tier 1 device are not met.

This cybersecurity risk tiering may not track to FDA’s existing statutory device classifications. For example, based on the manufacturer’s assessment and device design, a class II device such as an infusion pump may meet the criteria for Tier 1 higher cybersecurity risk, while a class III device such as a coronary atherectomy device with no connectivity may meet the criteria for Tier 2 standard cybersecurity risk. The principles and approaches described are broadly applicable to all medical devices and are intended to be consistent with the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity to manage cybersecurity-related risks by focusing on core functions of identify, protect, detect, respond, and recover.

Related Terms:
No items found.
Related FAQs:
More Questions? We're here to help!