December 30, 2016
Authored and Edited by Sonja W. Sahlsten; Kathleen A. Daley
Medical devices are increasingly connected to computer networks to improve patient care and management. With this connectivity also comes increased vulnerability to cybersecurity threats, which has the potential to affect the function and safety of the device.
On December 28, 2016, FDA released a nonbinding final Guidance for Industry on Postmarket Management of Cybersecurity in Medical Devices. FDA intends the Guidance to help medical device manufacturers identify, evaluate, and mitigate cybersecurity vulnerabilities and assess whether the risk of patient harm is sufficiently controlled or uncontrolled. The Guidance applies to: 1) medical devices that contain software, firmware, or programmable logic; and 2) software that is a medical device, including mobile medical applications.
The Guidance outlines postmarket cybersecurity risk management strategies and recommends that manufacturers implement these strategies throughout the lifecycle of the device. A postmarket strategy should include:
The risk management strategy should focus on assessing the risk of patient harm by considering two factors: 1) the risk that a vulnerability could be exploited (low to high illustrated below); and 2) the severity of patient harm if the vulnerability is exploited (negligible to catastrophic illustrated below).
The Guidance uses the figure below to illustrate how these considerations are assessed to determine whether the cybersecurity risk is considered controlled or uncontrolled.
The Guidance provides a recommended course of action depending on whether the risk is controlled or uncontrolled. If the risk is controlled, manufacturers are encouraged to proactively strengthen cybersecurity. If the risk is uncontrolled, the Guidance outlines the following recommended procedures:
The Guidance emphasizes the need for medical device manufactures, health care facilities, providers, and patients to cooperate and share information on cybersecurity threats and mitigation. Because cybersecurity threats cannot be totally eliminated, FDA advises that these stakeholders work together to manage them.
Copyright © 2016 Finnegan, Henderson, Farabow, Garrett & Dunner, LLP.
DISCLAIMER: Although we wish to hear from you, information exchanged in this blog cannot and does not create an attorney-client relationship. Please do not post any information that you consider to be personal or confidential. If you wish for Finnegan, Henderson, Farabow, Garrett & Dunner, LLP to consider representing you, in order to establish an attorney-client relationship you must first enter a written representation agreement with Finnegan. Contact us for additional information. One of our lawyers will be happy to discuss the possibility of representation with you. Additional disclaimer information.
June 10-12, 2024
San Francisco
Lecture
Patent Protection for Software-Related Inventions in Europe and the USA Training Course
June 5, 2024
Hybrid
Due to international data regulations, we’ve updated our privacy policy. Click here to read our privacy policy in full.
We use cookies on this website to provide you with the best user experience. By accepting cookies, you agree to our use of cookies. Please note that if you opt not to accept or if you disable cookies, the “Your Finnegan” feature on this website will be disabled as well. For more information on how we use cookies, please see our Privacy Policy.
Finnegan is thrilled to announce the launch of our new blog, Ad Law Buzz, devoted solely to breaking news, developments, trends, and analysis in advertising law.