It is only February, but the Food and Drug Administration (FDA or Agency) has already been actively focusing on issues relating to medical device cybersecurity. Following a public workshop held on January 20-21, 2016, entitled “Moving Forward: Collaborative Approaches to Medical Device Security,”1 the FDA published a new draft guidance for the industry entitled “Postmarket Management of Cybersecurity in Medical Devices 2(Draft Guidance).”3 The Draft Guidance is another step in FDA’s evolving attempt to address growing concerns over cybersecurity threats in medical devices.4 The new Draft Guidance outlines steps that medical device manufacturers should take to continually address cybersecurity risks. The Agency notes that “it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats means risks may arise throughout a device’s entire lifecycle,”5 from medical device conception to obsolescence. The Draft Guidance provides recommendations to manufacturers with regard to monitoring, identifying, and addressing cybersecurity vulnerabilities as part of the manufacturer’s continuing postmarket management of a medical device. These recommendations apply to: 1) medical devices that contain software (including firmware) or programmable logic, and 2) software that is a medical device. As noted by the Agency, “effective” cybersecurity risk management is a shared responsibility between stakeholders including health care facilities, patients, providers, and manufacturers of medical devices. Recommended Postmarket Considerations FDA recommends that manufacturers apply the NIST Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework) (i.e. Identify, Protect, Detect, Respond, and Recover),6 in the development and implementation of a comprehensive cybersecurity program. Any program should emphasize addressing vulnerabilities that may allow for unauthorized “access, modification, misuse, or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient, and may impact patient safety.”7 To that end, FDA has identified the following factors to be critical components of such a program:
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
- Understanding, assessing, and detecting the presence and impact of a vulnerability;
- Establishing and communicating processes for vulnerability intake and handling;
- Clearly defining essential clinical performance to develop mitigations that protect, respond, and recover from the cybersecurity risk;
- Adopting a coordinated vulnerability disclosure policy and practice; and
- Deploying mitigations that address cybersecurity risk early and prior to exploitation.8
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.