A Lifelong Commitment: FDA Releases Postmarket Guidance on Cybersecurity Risk Management for Medical Device Manufacturers

This Draft Guidance follows previously issued premarket guidance pertaining to cybersecurity vulnerabilities of medical devices, creating a regulatory scheme governing cyber threats throughout the devices’ lifecycles. While the Draft Guidance does not establish legally enforceable responsibilities (i.e., nothing in the document should be considered binding or mandatory), it provides a potentially very interesting model for how manufacturers can categorize the risks posed by cyber-vulnerabilities in their medical devices, as well as when and how they might address those risks.

It also offers reduced reporting requirements under 21 C.F.R. Part 806 for manufacturers who voluntarily adopt the recommendations and join an Information Sharing Analysis Organization (ISAO). In particular, medical device manufacturers should take note of the FDA’s comprehensive attention to the cybersecurity threats posed by networked medical devices as well as the risk management strategies for identifying and addressing cyber vulnerabilities.

Key takeaways from the Draft Guidance include:

• Implementation of Cybersecurity Risk Management Plans
• Controlled versus Uncontrolled Risks
• Cybersecurity Disclosure Requirements only for Vulnerabilities and Exploits that May Compromise the Essential Clinical Performance of a Device
• Impact of Involvement in an ISAO on Certain Reporting Requirements

Medical device manufacturers that may be affected by the Draft Guidance have until April 21, 2016, to submit comments. Written comments should be submitted to the Division of Dockets Management (HFA-305), Food and Drug Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852, and electronic comments should be submitted to http://www.regulations.gov.

A New Front in the Struggle for Cybersecurity

Attention to medical device cybersecurity by government agencies skyrocketed several years ago following reports about possible cyber-vulnerabilities in insulin pumps. As more medical devices began to incorporate wireless capabilities and network to hospitals, health systems, and other health care entities, the risks to both patient safety and protected health information intensified. These concerns were noted in President Obama’s 2013 Executive Order 13636 – Improving Critical Infrastructure Cybersecurity, which called for enhanced security, cybersecurity information sharing, and implementation of risk-based standards. Recent large-scale cyberattacks have continued to highlight cybersecurity concerns associated with medical devices connected to the Internet. With more Americans than ever now relying on the efficacy and safety of networked medical devices, many experts view medical device vulnerabilities as one of the key cybersecurity issues for 2016.

The Draft Guidance is the latest of several steps that the FDA has taken to address and manage the cybersecurity threats posed by the increasing number of medical devices that are vulnerable to cybersecurity threats (i.e., devices that incorporate software and are connected to an IT network, such as certain pacemakers, surgical robots and insulin pumps). In October 2014, the FDA issued guidance encouraging medical device manufacturers to consider cybersecurity threats during the design and development process (i.e., security by design) and describing how manufacturers should prepare premarket submissions for those devices.² The FDA’s  first device-specific action to combat cybersecurity risks followed on July 31, 2015.³

With the issuance of the Draft Guidance, which focuses on addressing postmarket cybersecurity threats, the FDA has made clear that the threat imposed by cybersecurity should be considered throughout the duration of a device’s lifecycle. The Draft Guidance clarifies the FDA’s postmarket recommendations related to cybersecurity in (i) medical devices that contain software or programmable logic and (ii) software that is a medical device.⁴ In addition, the Draft Guidance emphasizes industry’s role in monitoring, identifying, and addressing cybersecurity vulnerabilities as part of the postmarket management of medical devices.

Download: A Lifelong Commitment: FDA Releases Postmarket Guidance on Cybersecurity Risk Management for Medical Device Manufacturers

1. “Postmarket Management of Cybersecurity in Medical Devices; Draft Guidance for Industry and Food and Drug Administration Staff,” dated January 22, 2016.
2. “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” dated October 2, 2014.
3. “Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System: FDA Safety Communication,” July 31, 2015.
4. The Postmarket Draft Cyber Guidance does not apply to experimental or investigational medical devices.