FDA Proposes Updates To Premarket Cybersecurity Guidance For Medical Devices

Bailey Langner
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

The U.S. Food and Drug Administration (“FDA”) released updated draft guidelines on how medical device manufacturers should protect against data breaches and viruses prior to marketing their products.  The new draft, once finalized, will replace the agency’s 2014 guidance on the subject.

As indicated in its October 18 draft, the FDA’s modifications to its premarket cybersecurity guidance are intended to reflect the current threat landscape.  The FDA’s new recommendations touch on device design, labeling, and documentation included in premarket submissions for agency approval.  FDA hopes that manufacturers can proactively address possible cyber concerns when developing, designing, and ultimately marketing their medical devices.  In addition, the guidance recommends that manufacturers prepare a “cybersecurity bill of materials,” a list of commercial, open source, and off-the-shelf software and hardware components included in devices.  According to the FDA, this information will better enable users (patients, providers, and healthcare delivery organizations) to effectively manage their devices, understand the potential impact of vulnerabilities, and deploy appropriate countermeasures.

As part of its guidance, the FDA created two tiers of medical devices based on the cybersecurity risks associated with the specific products.  Tier 1 products, those deemed a “higher security risk,” include devices capable of connecting to another medical or non-medical product, or to a network or the internet, either wired or wirelessly.  These types of devices—i.e. defibrillators, pacemakers, insulin pumps, and the support systems that interact with these them—are so classified because an incident affecting the device could result in direct harm to patients.  Tier 2 devices, those with “standard cybersecurity risk,” are products that do not qualify for Tier 1 status. 

FDA will conduct a public workshop for affected stakeholders on January 29-30, 2019 to discuss the draft guidance before it is finalized.  Medical device manufacturers are also reminded of the FDA’s post-market guidance, released in 2016, which includes recommendations for maintaining the cybersecurity of network-connected devices once in use.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide