Cybersecurity Measures to be Included in Premarket Submissions for Medical Devices



The FDA recently issued a Safety Communication on cybersecurity and medical devices and draft guidance recommending that manufacturers specifically address cybersecurity in premarket submissions for medical devices. The FDA has not addressed cybersecurity with regard to medical devices since the issuance of the last cybersecurity-related guidance document in 2005. Are medical device hackers on the rise? What do you need to know?

The Safety Communication recommended “medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.” In that Communication, the FDA outlined incidents of cybersecurity vulnerabilities potentially affecting medical devices and hospital networks, such as malware on various devices used to access patient data and distribution of passwords for privileged device access, which could result in unauthorized access and, therefore, patient illness, injury or death. The FDA noted, however, that it is not aware of any patient injuries or deaths associated with these incidents.

The FDA provided its current thinking on how to address cybersecurity pertaining to medical devices in a draft guidance released in June 2013 titled, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” “Cybersecurity,” as used in the draft guidance, means “the process of preventing unauthorized modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.” The draft guidance applies to the following premarket submissions for medical devices that contain software: Premarket Notification (510(k)) including Traditional, Special and Abbreviated 510(k) submissions; de novo petitions; Premarket Approval Applications (PMA); Product Development Protocols (PDP); and Humanitarian Device Exemption (HDE) submissions. The FDA notes that manufacturers may also utilize the draft guidance for Investigational Device Exemption submissions and devices exempt from premarket review.

The draft guidance recommends that medical device manufacturers develop measures to maintain “confidentiality” (only authorized users access data, information, or systems at authorized times and in authorized ways), “integrity” (data and information are accurate and only modified by authorized users), and “availability” (timely and reliable) with regard to cybersecurity as part of the design phase of a medical device.

The draft guidance extends the scope of design validation, 21 C.F.R. 820.30(g), suggesting that manufacturers provide the following cybersecurity information in the premarket submission:

  1. hazard analysis and mitigation design options for intentional and unintentional cyberattacks;
  2. a matrix that traces cybersecurity controls to risks;
  3. a plan to provide updates and patches to address contemporaneous cyberattacks;
  4. documentation ensuring that the device is free of malware at the time of purchase/use; and
  5. instructions for anti-virus protection.

The level of cybersecurity control will depend on the type and capability of the device. The FDA recommends that the manufacturer justify the cybersecurity controls in the premarket submission.

The Safety Communication reminds medical device manufacturers, user facilities, and importers of their various reporting obligations such as reporting adverse events, death, serious injury, and malfunctions in accordance with the Medical Device Reporting (MDR) regulations. The Safety Communication also includes FDA’s request that manufacturers voluntarily report cybersecurity incidents through FDA’s Safety Information and Adverse Event Reporting program, MedWatch.

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.