The FDA released a draft guidance to notify the industry and FDA staff about its recommendations for dealing with postmarket cybersecurity vulnerabilities for marketed medical devices. The draft guidance, which was announced in an advance release, provides specific recommendations for manufacturers but also encourages them to address cybersecurity issues throughout the entire lifecycles of their products.
An increasing number of medical devices are designed so that they can be networked to assist with patient care. Such networked devices, like any networked computer system, use software that can be vulnerable to cybersecurity threats, which can present a risk to the safety and effectiveness of the devices. Therefore, manufacturers should take a proactive approach to addressing cybersecurity risks in medical devices to reduce the risks to patient safety and public health.
The draft guidance contains the FDA’s postmarket recommendations and emphasizes that manufactures should monitor and address any cybersecurity vulnerabilities as part of their postmarket management of medical devices. In most cases, the manufacturers will be performing routine updates or patches, which would not require advance notification to the FDA or reporting under 21 C.F.R. part 806. However, for cybersecurity vulnerabilities that could compromise a device’s essential clinical performance and present a probability of serious adverse health consequences or death, the manufacturers would be required to notify the FDA (21 C.F.R. Sec. 806.10).
The FDA believes that the public and private stakeholders must collaborate to use available resources and tools to assess risks and identify vulnerabilities in medical devices so as to mitigate cybersecurity threats. It recommends that manufacturers take a proactive, risk-based approach for the postmarket phases of medical devices, which includes cybersecurity information sharing, “good cyber hygiene” or routine device cyber maintenance, postmarket information assessments, vulnerability identification, and timely implementation of necessary risk mitigation actions.
The draft guidance applies to medical devices that contain software, including firmware or programmable logic. It also applies to software that is a medical device. However, the guidance does not apply to experimental or investigational medical devices.