By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
AcceptDenyPreferences
Privacy
FRequently Asked Questions

What are the tiers for cybersecurity risk?

View All FAQs
About the Author
Proxima CRO Team
Isabella Schmitt, MBA, RAC
Director of Regulatory Affairs
Ms. Schmitt has also served in additional regulatory affairs and clinical research roles in which she contributed to multiple regulatory submissions and clinical affairs projects across a wide range of indications.
Read More >>
Tier 1 “Higher Cybersecurity Risk”

A device is a Tier 1 device if the following criteria are met:

  • The device is capable of connecting (wired or wirelessly) to another medical or non-medical product, or to a network, or to the Internet; AND
  • A cybersecurity incident affecting the device could directly result in patient harm to multiple patients

Examples include:

  • Implantable cardioverter defibrillators (ICDs)
  • Pacemakers
  • Left ventricular assist devices (LVADs)
  • Brain stimulators and neurostimulators
  • Dialysis devices
  • Infusion and insulin pumps, and the supporting connected systems that interact with these devices such as home monitors and those with command and control functionality such as programmers.
Tier 2 “Standard Cybersecurity Risk”

A medical device for which the criteria for a Tier 1 device are not met.

This cybersecurity risk tiering may not track to FDA’s existing statutory device classifications. For example, based on the manufacturer’s assessment and device design, a class II device such as an infusion pump may meet the criteria for Tier 1 higher cybersecurity risk, while a class III device such as a coronary atherectomy device with no connectivity may meet the criteria for Tier 2 standard cybersecurity risk. The principles and approaches described are broadly applicable to all medical devices and are intended to be consistent with the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity to manage cybersecurity-related risks by focusing on core functions of identify, protect, detect, respond, and recover.

Related Terms:
No items found.
Related FAQs:
What are the design expectations to help manufacturers detect, respond to, and recover cybersecurity risks?
How should you use animal studies in preparation for a regulatory submission?
What is the difference between bench, animal, and clinical testing? Are all these forms of performance testing required?
How should you link your Q-Submission to future regulatory submissions?
What information is required for a De Novo request?
What should be included in study designs for comparison and reproducibility studies that support a Dual Submission?
What information should be included in a Q-Submission?
What are the consequences of distributing unapproved IVDs labeled for research use only (RUO) or investigational use only (IUO)?
What is the FDA's Corrective and Preventive Actions (CAPA) system procedure?
What information should be included in the 510(k) Cover Letter, 510(k) Summary, and 510(k) Statement?
More Questions? We're here to help!
SPEAK WITH A SPECIALIST
Recent Awards & Recognition
Best Places to Work
Modern Healthcare
Best Places to Work
Modern Healthcare
SolutionsRegulatory Clinical Biotech
MedTech
RESOURCESNewsletterResource HubFor InvestorsEventsPrivacy
ProximaWhy ProximaLeadershipNewsContactCareers
CONNECTHello@ProximaCRO.com+1.774.473.9524
Join our team
Proxima Clinical Research, Inc. (aka Proxima CRO) is a registered Delaware C Corp, headquartered in Houston, TX
2450 Holcombe Blvd, Houston, TX 77021
© Copyright 2023 Proxima Clinical Research, Inc. All Rights Reserved.