News Feature | April 25, 2016

What FDA Draft Cybersecurity Guidance Could Mean For Medical Device Manufacturers

Christine Kern

By Christine Kern, contributing writer

Cybersecurity

Comment period ended for cybersecurity guidance and FDA must finalize its directives.

New draft guidance from the Food and Drug Administration released in January addresses steps manufacturers must follow to ensure their medical devices are protected against cyberattacks. According to the guidelines, device makers must not only establish design inputs related to cybersecurity, they must also address post-market threats that could emerge after the product has been marketed.

“All medical devices that use software and are connected to hospital and health care organizations’ networks have vulnerabilities — some we can proactively protect against, while others require vigilant monitoring and timely remediation,” Suzanne Schwartz, M.D., M.B.A., associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health, explained in a statement.

The draft guidance applies to medical devices that contain software (including firmware) or programmable logic, and software that is a medical device. The document lays out and defines vulnerabilities that could be exploited by cybersecurity threats.

“The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices,” said Schwartz. “Only when we work collaboratively and openly in a trusted environment, will we be able to best protect patient safety and stay ahead of cybersecurity threats.”

The agency recommended manufacturers integrate a National Institute of Standards and Technology (NIST)-provided cybersecurity framework into their risk management efforts. The comment period for the guidance document ended on April 21, 2016, and now the FDA must finalize its directive.

According to DLA Piper life sciences lawyers Becca McKnight, Gail Javitt, Stacy Taylor, and Peter McLaughlin, the guidance sends several key FDA messages to device manufacturers, including:

  • premarket controls are not enough
  • patient safety remains paramount
  • existing FDA compliance processes must be reviewed through the cybersecurity lens
  • the FDA will incentivize stakeholder collaboration to achieve device security