FDA Issues Proposed Guidelines for Managing Cybersecurity in Medical Devices

The Food and Drug Administration recently issued a draft guidance for managing cybersecurity in medical devices.  The guidance document provides the FDA’s postmarket recommendations for monitoring, identifying, and addressing cybersecurity vulnerabilities in medical devices.  According to the FDA:

A growing number of medical devices are designed to be networked to facilitate patient care.  Networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats.  The exploitation of vulnerabilities may represent a risk to the safety and effectiveness of medical devices and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits.  Proactively addressing cybersecurity risks in medical devices reduces the patient safety impact and the overall risk to public health.

Recognizing that medical devices and the surrounding network infrastructure cannot be completely secured, the FDA encourages manufacturers to establish a defined process to systematically conduct a risk evaluation and determine whether a cybersecurity vulnerability affecting a medical device presents an acceptable or unacceptable risk.  According to the guidance document, such a process should focus on assessing the risk to the device’s essential clinical performance (i.e., performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer) by considering: (1) the exploitability of the cybersecurity vulnerability, and (2) the severity of the health impact to patients if the vulnerability were to be exploited.  Recommendations regarding timely remediation and reporting of such vulnerabilities are also provided.

Comments on the draft guidance should be submitted by April 21, 2016 to ensure consideration.  Instructions on how to submit comments can be found here.

Chang Lim
Chang Lim practices intellectual property law, with a focus on patent counseling and protection of innovations in the electronics, software, and healthcare industries. He represents clients in matters involving a diverse range of technologies including video coding, cloud computing, user interfaces, consumer electronics, data protection, and surgical robotics.
Click here to read full bio
View all posts published by Chang Lim »

Leave a Reply

By using this blog, you agree and understand that no information is being provided in the context of any attorney-client relationship. You further agree and understand that nothing herein is intended to be legal advice. This blog is solely informational in nature, and is not intended as, and should not be used as, a substitute for competent legal advice from a retained and licensed attorney in your state. Knobbe Martens LLP makes no representations or warranties as to the accuracy, completeness, timeliness or availability of the information in this blog. Knobbe Martens LLP will not be liable for any injury or damages relating to your use of, or access to, any such information. Knobbe Martens LLP undertakes no obligation to correct or update information on this blog, which may be incorrect or become incorrect or out of date over time. Knobbe Martens LLP reserves the right to alter or delete content or information on the blog at any time. This blog contains links and references to other websites and publications that you may find of interest. Knobbe Martens LLP does not control, promote, endorse or otherwise have any affiliation with any other websites or publications unless those websites or publications expressly state such an affiliation. Knobbe Martens LLP further has no responsibility for, and makes no representations regarding, the content, accuracy or any other aspect of the information in such websites or publications.