On January 22, 2016, the federal Food and Drug Administration (“FDA”) issued a draft guidance outlining postmarket recommendations for medical device manufacturers to address cybersecurity risks.  The draft guidance details the agency’s specific recommendations, which address monitoring, identifying and managing cybersecurity vulnerabilities in medical devices that are software, or contain software (including firmware) or programmable logic once they have entered the market. The draft guidance represents a part of the agency’s ongoing efforts to ensure the safety and effectiveness of medical devices in the face of potential cyber threats at all stages in their lifecycles.  Specifically, the draft guidance follows multiple public workshops on the issue and previous FDA guidance titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” which contains premarket recommendations for managing cybersecurity risks during the design stage of device development.  We previously blogged about this here. The draft guidance recommends that manufacturers should implement a structured, systematic, and comprehensive cybersecurity risk management program that includes the following essential components, among others:

  • Applying the 2014 National Institute of Standards and Technology (“NIST”) voluntary Framework for Improving Critical Infrastructure Cybersecurity, which includes the core principles of “Identify, Protect, Detect, Respond and Recover;”
  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
  • Understanding, assessing and detecting presence and impact of a vulnerability;
  • Establishing and communicating processes for vulnerability intake and handling;
  • Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk;
  • Adopting a coordinated vulnerability disclosure policy and practice; and
  • Deploying mitigations that address cybersecurity risk early and prior to exploitation.

For the majority of cases, the draft guidance proposes that actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered “cybersecurity routine updates or patches,” for which the FDA would not require advance notification or reporting.  However, for a small subset of cases that may compromise the clinical performance of a device and present a reasonable probability of serious adverse health consequences or death, the FDA would require medical device manufacturers to notify the Agency. The draft guidance also stresses the importance of voluntary participation in information sharing via an Information Sharing Analysis Organization (“ISAO”), a collaborative and transparent group in which public and private-sector members share confidential cybersecurity information.  Comments to the draft guidance are due April 21, 2016  and can be submitted here.