FDA issues draft guidance “Postmarket Management of Cybersecurity in Medical Devices”

imagesOn January 22, 2016, the U.S. Food and Drug Administration (“FDA”) released draft guidance entitled “Postmarket Management of Cybersecurity in Medical Devices”. The document outlines recommendations to medical device manufacturers for managing postmarket cybersecurity vulnerabilities for marketed medical devices.

The draft guidance applies to: 1) medical devices that contain software (including firmware) or programmable logic, and 2) software that is a medical device.

To protect patients, the FDA recommends effective cybersecurity risk management policies to decrease the likelihood that “device functionality is intentionally or unintentionally compromised by inadequate cybersecurity”.

The draft suggests that manufacturers apply the NIST Framework for Improving Critical Infrastructure Cybersecurity and that they choose to participate in an Information Sharing and Analysis Organization (ISAO) to share “cybersecurity information and intelligence pertaining to vulnerabilities and threats across multiple sectors”.

In order to systematically conduct an effective risk management process, the FDA recommends that such a process focuses on assessing the risk to the device’s essential clinical performance by considering: 1) the exploitability of the cybersecurity vulnerability, and 2) the severity of the health impact to patients if the vulnerability were to be exploited.

Based on the vulnerability assessment, the exploitability of an identified vulnerability and its severity impact to health can be categorized as either “controlled” (acceptable residual risk) or “uncontrolled” (unacceptable residual risk). The draft provides guidance on how to address vulnerabilities associated with controlled (p. 17) and uncontrolled risks (p.18). If the risk to essential clinical performance is assessed as uncontrolled, additional risk control measures should be applied.

The draft also describes the recommended content that premarket approval devices (PMA) with periodic reporting requirements under 21 CFR 814.84 shall include in their periodic (annual) reports.

The draft Postmarket Management of Cybersecurity in Medical Devices is available at http://www.fda.gov…


For more information, Francesca Giannoni-Crystal

Follow us on& Like us on