The U.S. Food and Drug Administration (“FDA”) recently issued draft guidance entitled “Postmarket Management of Cybersecurity in Medical Devices” (“Guidance”). The medical device industry anxiously awaited the Guidance, which outlines recommended steps medical device manufacturers should take to continually monitor, identify, and address cybersecurity vulnerabilities after devices enter the market. The FDA previously issued guidance for companies in the premarket development stage to help inform design and development decisions. This Guidance elucidates FDA’s position on postmarket surveillance and demonstrates the FDA’s efforts to continue to address cybersecurity at all stages of a medical device’s lifecycle. 

In addition to addressing the need for manufacturers to proactively plan for and to assess cybersecurity vulnerabilities, the Guidance:

  • addresses the importance of information sharing through participation in an Information Sharing Analysis Organization (ISAO), a collaborative group made up of public and private-sector members who share cybersecurity information; and
  • recommends that manufacturers implement a comprehensive cybersecurity risk management program that includes application of the voluntary “Framework for Improving Critical Infrastructure Cybersecurity” developed by the National Institute of Standards and Technology.

The majority of postmarket remedial actions taken by device manufacturers to address cybersecurity vulnerabilities and exploits are considered “routine updates or patches” for which the FDA would not require advance notification or reporting. However, device manufacturers must be advised that remedial actions that impact device performance or cause severe health consequences or death will require device manufacturers to notify the FDA prior to making such modifications to address software security weaknesses.

The draft Guidance will be available for public comment for 90 days.