After the Fact: FDA’s Guidance on Postmarket Management of Cybersecurity in Medical Devices

The Food and Drug Administration (FDA) recently issued nonbinding guidance focusing on the software vulnerabilities of networked medical devices that are already on the market. The postmarket management guidance is available here. The guidance focuses on the importance of detecting (and correcting, if possible) the inadvertent incorporation of vulnerabilities during the design and manufacture of medical devices (which is the subject of separate guidance available here).

The FDA recommends that a manufacturer implement a cybersecurity risk management program that is consistent with the Quality System Regulation (21 C.F.R. part 820) and incorporate elements consistent with the NIST Framework for Improving Critical Infrastructure Cybersecurity. An appendix to the postmarket guidance lays out the elements of an effective postmarket cybersecurity program, to be used in a manner consistent with the NIST Framework, as follows:

• Identify (maintaining safety and essential performance, and identification of cybersecurity signals);
• Protect/Detect (vulnerability characterization and assessment, risk analysis and threat modeling, analysis of threat sources, incorporation of threat detection capabilities and impact assessments);
• Protect/Respond/Recover (compensating controls assessment); and
• Risk Mitigation of Safety and Essential Performance.

The postmarket guidance also establishes a risk-based framework for assessing when to report (or not to report) to the FDA about a change to be made as a result of a cybersecurity vulnerability. For example, the FDA clarifies that routine cybersecurity updates and patches do not need to be reported to the FDA in advance, whereas reporting is required when patient harm may result from the vulnerability. The FDA stresses that “[t]he presence of a vulnerability does not necessarily trigger patient harm concerns. Rather it is the impact of the vulnerability on the safety and essential performance of the device which may present a risk of patient harm.” Manufacturers of networked medical devices should review the postmarket guidance against the manufacturer’s current cybersecurity program to ensure that it is addressing the FDA’s concerns or whether tweaks to the program should be made in light of this guidance.