FDA Releases Guidance for Medical Device Cybersecurity | Practical Law

FDA Releases Guidance for Medical Device Cybersecurity | Practical Law

The FDA has published nonbinding guidance for industry and FDA staff to use to manage cybersecurity vulnerabilities in medical devices.

FDA Releases Guidance for Medical Device Cybersecurity

Practical Law Legal Update w-005-2637 (Approx. 3 pages)

FDA Releases Guidance for Medical Device Cybersecurity

by Practical Law Intellectual Property & Technology
Published on 05 Jan 2017USA (National/Federal)
The FDA has published nonbinding guidance for industry and FDA staff to use to manage cybersecurity vulnerabilities in medical devices.
On December 28, 2016, the FDA published Postmarket Management of Cybersecurity in Medical Devices, a final nonbinding guidance document for industry and FDA staff to use in managing cybersecurity vulnerabilities for marketed and distributed medical devices.
Although the recommendations are nonbinding, this guidance:
  • Applies to any marketed and distributed medical device, including:
    • medical devices that contain software, firmware, or programmable logic;
    • software that is a medical device, including mobile medical applications; and
    • medical devices that are considered part of an interoperable system or a legacy device.
  • Clarifies the FDA's postmarket recommendations and emphasizes that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices.
  • Establishes a risk-based framework for assessing when changes to medical devices for cybersecurity vulnerabilities requires FDA reporting.
  • Does not provide guidance on reporting device-related deaths or serious injuries to the FDA.
Through this guidance, the FDA outlines recommended steps manufacturers should take to continually address cybersecurity risks to medical devices. Most notably, the FDA's guidance expects medical device manufacturers to implement a structured and comprehensive cybersecurity program that includes:
  • A method to monitor and detect cybersecurity vulnerabilities in their devices.
  • A way to understand, assess, and detect the level of risk a vulnerability poses to patient safety.
  • Establishing a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities.
  • The ability to deploy mitigations, like software patches, to address cybersecurity issues before their exploitation can cause harm.
The FDA will hold a webinar on January 12, 2017 for interested parties to review, discuss, and answer questions about the guidance. Interested parties may also submit comments and suggestions at any time.