FDA Issues Final Cybersecurity Guidelines

On October 2, 2014, the United States Department of Health and Human Services, Food and Drug Administration (“FDA”) released the final version of a guidance document entitled “Content of Premarket Submissions for Management Cybersecurity in Medical Devices” (the “Final Guidance”). The Final Guidance reiterates several of the key points that FDA made in the draft guidance and is meant to supplement FDA’s “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices” and “Guidance to Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software.”

In the draft guidance that it released in June 2013, FDA recommended that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack. Such an attack could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.

In the Final Guidance, FDA recognizes that medical device security is a shared responsibility among stakeholders, including health care facilities, patients, providers, and manufacturers of medical devices. Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. As a result, medical device manufacturers should try to minimize and address such risk by considering cybersecurity during the design and development of medical devices, which, as noted in the FDA guidance, may result in more robust and efficient mitigation of patient risks.

FDA indicates that manufacturers should establish design inputs for their devices related to cybersecurity and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR 820.30(g). The approach should appropriately address the following elements: (a) identification of assets, threats, and vulnerabilities; (b) assessment of the impact of threats and vulnerabilities on device functionality and end users/patients; (c) assessment of the likelihood of a threat and of a vulnerability being exploited; (d) determination of risk levels and suitable mitigation strategies; and (e) assessment of residual risk and risk acceptance criteria.

The Final Guidance is applicable to the following premarket submissions for devices that contain software (including firmware) or programmable logic as well as software that is a medical device: (a) Premarket (510(k)) Notifications, including Traditional, Special, and Abbreviated submissions; (b) De novo submissions; (c) Premarket Approval Applications (“PMA”); (d) Product Development Protocols (“PDP”); and (e) Humanitarian Device Exemption (“HDE”) submissions.

The Agency recommends that medical device manufacturers consider (among other factors) the following cybersecurity framework core functions to guide their cybersecurity activities:

  • Identify and Protect against Cyber Threats: FDA recognizes that medical devices that are capable of connecting to another device, the Internet or other network, or portable media are more vulnerable to cybersecurity threats than are devices that do not have such capabilities. The Agency therefore recommends that to the extent security controls are needed, manufacturers should balance between cybersecurity safeguards and the usability of the device in its intended use. In addition, justification supporting the security functions included in the design of the medical device should be included in all market clearance submissions to the Agency.
  • Detect, Respond, and Recover from Cyber Security Breaches: FDA recommends that device manufacturers not only implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use, but also that they develop and provide information to the end user concerning appropriate actions to take upon detection of a cybersecurity event.

The type of cybersecurity documentation that must accompany premarket submissions is closely tied to a company’s quality system implementation determined in accordance with the Quality System Regulation. FDA provided several examples of the type of documentation that should accompany respective premarket submissions, including but not limited to a traceability matrix that links the manufacturer’s actual cybersecurity controls to the cybersecurity risks that were considered.

A copy of the Final Guidance may be accessed on FDA’s website here. Device manufacturers and health care facilities should carefully review the guidance and consider its implications for any future submission to FDA for medical devices subject to cybersecurity risks.

Latest Thinking

View more Insights
Insights Center
Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their