On December 28, the Food and Drug Administration (FDA) published final guidance setting forth a framework for identifying, monitoring, and addressing cybersecurity vulnerabilities in medical devices throughout product lifecycles. The guidance emphasizes a risk-based approach that compares the exploitability of a medical device vulnerability to the severity of patient harm which would result from such exploitation.

The FDA suggests that manufacturers make a binary determination that a vulnerability is either controlled (acceptable) or uncontrolled (unacceptable) and implement a commensurate strategy for risk mitigation. To encourage mitigation, the FDA has reiterated that the majority of actions taken to address cybersecurity vulnerabilities will be considered a type of device enhancement which will not require notification or reporting to the agency.

Like all FDA guidance, this framework is a recommendation for best practices which establishes a common understanding of expectations and does not establish legally enforceable responsibilities. However, as demonstrated by the FDA's ongoing investigation of St. Jude Medical in response to alleged vulnerabilities in its cardiac devices, discussed here, the FDA takes seriously any cybersecurity threat impacting public health and will seek to hold manufacturers accountable for identifying and mitigating threats to medical device security.


For more articles and regular updates on legislative changes, regulatory developments and other news of interest to businesses, professionals and investors in the healthcare industry, please subscribe to Day Pitney's mailing lists.


Click here for more Healthcare Blogs from Day Pitney

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.