On December 28, 2016, the FDA released its final guidance on postmarket management of cybersecurity for medical devices. This was an outcome stemming from Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” (February 19, 2013).
The guidance applies to any marketed medical device, either currently in use or distributed in the future, and includes devices with software and firmware, software that is a medical device (including mobile medical applications), and devices that exchange information with other devices, systems or technologies.
Recertification is usually not required. Changes to existing devices, which boost cybersecurity or address cyber vulnerabilities, are generally not required to be reported under 21 CFR part 806. A premarket approval (PMA) device with periodic reporting requirements is expected to report cyber security changes as part of its annual report.
There are no penalties and the recommendations are not legally enforceable. However, serious cybersecurity breaches typically result in widespread negative publicity, something that manufacturers likely will want to take responsible steps to avoid.
Key takeaways include:
- Responsibility for cybersecurity is shared among all stakeholders, including the manufacturer, user, IT administrator, IT developers and IT vendors who are not regulated by the FDA.
- Manufacturers are encouraged to make use of the voluntary “Framework for Improving Critical Infrastructure Cybersecurity” measures developed by the National Institute of Standards and Technology (NIST).
- To learn from each other, for profits and nonprofits in the private sector are encouraged to share cyber risk information with other organizations, and to share security information with the government through Information Sharing Analysis Organizations (ISAOs). Information collected is shielded from Freedom of Information Act (FOIA) requests and state Sunshine laws.
- As part of an ongoing cyber risk management process, FDA recommends that manufacturers assess security risks, and incorporate cybersecurity guidelines throughout the product development and post-market cycle. FDA advises the use of threat modeling to assess security weaknesses and the potential for and severity of possible harm to patients.
Disclosure: This article is for informational purposes only, represents the author’s opinions, and is not intended to provide legal or other advice.