On December 28, 2016, the FDA’s Center for Devices and Radiological Health (CDRH) released the final version of its guidance addressing “Postmarket Management of Cybersecurity in Medical Devices: Guidance of Industry and Food and Drug Administration Staff”. This guidance applies to any marketed and distributed medical device, including: (1) medical devices that contain software (including firmware) or programmable logic; and (2) software that is a medical device (as defined by § 201(h) of the FD&C Act); including mobile medical applications. The guidance supplements information contained in previous guidance titled “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software.” The guidance does not apply to investigational devices.
The CDRH guidance establishes a risk-based framework for assessing when changes to medical devices for cybersecurity vulnerabilities require reporting to the Agency. It also outlines circumstances in which FDA does not intend to enforce reporting requirements. Under 21 CFR part 806, device manufacturers or importers must promptly report to the FDA certain actions concerning device corrections and removals. The majority of actions taken by manufacturers to address cybersecurity vulnerabilities and exploits, referred to as “cybersecurity routine updates and patches,” are generally considered to be a type of device enhancement for which the FDA does not require advance notification or reporting under 21 CFR part 806. However, for a small subset of actions taken by manufacturers to correct device cybersecurity vulnerabilities and exploits that may pose a health risk, the FDA would require medical device manufacturers to notify the Agency. This guidance recommends how to assess whether the risk of patient harm is sufficiently controlled or uncontrolled, based on an evaluation of the likelihood of exploit, the impact of exploitation on the device’s safety and essential performance, and the severity of patient harm if exploited.
In addition to the guidance’s recommendations, the CDRH “encouraged” industry to “address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment, and maintenance of the device, and recommends that manufacturers apply the NIST Cybersecurity Framework.
To view the CDRH guidance, click here.