November 20, 2018
Authored and Edited by Anthony J. Berlenbach; M. Andrew Holtman, Ph.D.
On October 18, 2018, FDA issued draft Guidance on Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Due to the frequency and severity of cybersecurity threats to the healthcare sector, the draft Guidance provides recommendations to consider and information to include in FDA medical device premarket submissions for effective cybersecurity management.
The Guidance outlines recommendations to manufacturers regarding cybersecurity device design, labeling, and documentation in premarket submissions for medical devices with cybersecurity risks. The recommendations are intended to facilitate an efficient premarket review process and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats.
Manufacturers are encouraged to design trustworthy devices to manage cybersecurity-related risks consistent with the National Institute of Standards and Technology (NIST) Cybersecurity Framework core functions of identify, protect, detect, respond, and recover. A trustworthy design should incorporate the recommended cybersecurity design controls, which include:
The Guidance sets forth labeling recommendations to inform end-users of relevant security information for devices with cybersecurity risks as an effective way to manage cybersecurity risks and ensure a device remains safe and effective throughout its life-cycle.
The Guidance defines two tiers of medical devices according to their cybersecurity risk. A Tier 1 device with higher cybersecurity risk is one that (1) is capable of connecting (e.g., wired, wirelessly) to another medical or non-medical product, or to a network, or to the Internet, and (2) a cybersecurity incident affecting the device could directly result in patient harm to multiple patients. A Tier 2 device with standard cybersecurity risk is one for which the Tier 1 device criteria are not met. The Guidance emphasizes the need for Tier 1 devices to include design feature documentation in the premarket submission that demonstrates how the device design and risk assessment incorporate the recommended cybersecurity design controls. For Tier 2 devices, manufacturers need only provide a risk-based rationale for why specific recommended cybersecurity design controls are not appropriate.
In addition to the design feature documentation, the Guidance recommends and outlines risk management documentation for premarket submissions, assessing threat models, clinical hazards, mitigation activities, and testing.
Readers are encouraged to read the draft Guidance, also available on FDA’s website.
Copyright © 2018 Finnegan, Henderson, Farabow, Garrett & Dunner, LLP.
DISCLAIMER: Although we wish to hear from you, information exchanged in this blog cannot and does not create an attorney-client relationship. Please do not post any information that you consider to be personal or confidential. If you wish for Finnegan, Henderson, Farabow, Garrett & Dunner, LLP to consider representing you, in order to establish an attorney-client relationship you must first enter a written representation agreement with Finnegan. Contact us for additional information. One of our lawyers will be happy to discuss the possibility of representation with you. Additional disclaimer information.
June 10-12, 2024
San Francisco
Lecture
Patent Protection for Software-Related Inventions in Europe and the USA Training Course
June 5, 2024
Hybrid
Due to international data regulations, we’ve updated our privacy policy. Click here to read our privacy policy in full.
We use cookies on this website to provide you with the best user experience. By accepting cookies, you agree to our use of cookies. Please note that if you opt not to accept or if you disable cookies, the “Your Finnegan” feature on this website will be disabled as well. For more information on how we use cookies, please see our Privacy Policy.
Finnegan is thrilled to announce the launch of our new blog, Ad Law Buzz, devoted solely to breaking news, developments, trends, and analysis in advertising law.