On October 2, 2014, the United States Department of Health and Human Services, Food and Drug Administration (“FDA”) released the final version of a guidance document entitled “Content of Premarket Submissions for Management Cybersecurity in Medical Devices” (the “Final Guidance”). The Final Guidance reiterates several of the key points that FDA made in the draft guidance and is meant to supplement FDA’s “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices” and “Guidance to Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software.”In the draft guidance that it released in June 2013, FDA recommended that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack. Such an attack could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks. In the Final Guidance, FDA recognizes that medical device security is a shared responsibility among stakeholders, including health care facilities, patients, providers, and manufacturers of medical devices. Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. As a result, medical device manufacturers should try to minimize and address such risk by considering cybersecurity during the design and development of medical devices, which, as noted in the FDA guidance, may result in more robust and efficient mitigation of patient risks. FDA indicates that manufacturers should establish design inputs for their devices related to cybersecurity and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR 820.30(g). The approach should appropriately address the following elements: (a) identification of assets, threats, and vulnerabilities; (b) assessment of the impact of threats and vulnerabilities on device functionality and end users/patients; (c) assessment of the likelihood of a threat and of a vulnerability being exploited; (d) determination of risk levels and suitable mitigation strategies; and (e) assessment of residual risk and risk acceptance criteria. The Final Guidance is applicable to the following premarket submissions for devices that contain software (including firmware) or programmable logic as well as software that is a medical device: (a) Premarket (510(k)) Notifications, including Traditional, Special, and Abbreviated submissions; (b) De novo submissions; (c) Premarket Approval Applications (“PMA”); (d) Product Development Protocols (“PDP”); and (e) Humanitarian Device Exemption (“HDE”) submissions. The Agency recommends that medical device manufacturers consider (among other factors) the following cybersecurity framework core functions to guide their cybersecurity activities:
- Identify and Protect against Cyber Threats: FDA recognizes that medical devices that are capable of connecting to another device, the Internet or other network, or portable media are more vulnerable to cybersecurity threats than are devices that do not have such capabilities. The Agency therefore recommends that to the extent security controls are needed, manufacturers should balance between cybersecurity safeguards and the usability of the device in its intended use. In addition, justification supporting the security functions included in the design of the medical device should be included in all market clearance submissions to the Agency.
- Detect, Respond, and Recover from Cyber Security Breaches: FDA recommends that device manufacturers not only implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use, but also that they develop and provide information to the end user concerning appropriate actions to take upon detection of a cybersecurity event.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.