The US Food and Drug Administration (FDA) has published guidance informing of the FDA’s recommendations for managing postmarket cybersecurity vulnerabilities for marketed and distributed medical devices. The guidance emphasizes that manufacturers of medical devices should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of their postmarket management. It urges manufacturers to implement comprehensive cybersecurity risk management programs and documentation focused on identifying, evaluating and mitigating cybersecurity risks in medical devices which may result in patient harm. Such programs should include complaint handling, quality audits, corrective and preventive action, software validation and risk analysis, and product servicing, all of which should comply with applicable federal regulations.

The FDA’s guidance also recommends that cybersecurity risk management programs include components such as:

  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
  • Monitoring third party software components for new vulnerabilities throughout the device’s total product lifecycle;
  • Adopting a coordinated vulnerability disclosure policy and practice;
  • Assessing the exploitability of cybersecurity vulnerabilities in medical devices and the severity of patient harm if the vulnerability were to be exploited.

The guidance establishes a risk-based framework for assessing when changes to medical devices for cybersecurity vulnerabilities require reporting to the FDA. The FDA indicates that the guidance is non-binding but represents the current thinking of the FDA on this topic.

Click here to read the FDA’s guidance on Postmarket Management of Cybersecurity in Medical Devices.