FDA Issues Draft Guidance: Postmarket Cybersecurity for Medical Devices

Jordan Lipp | Partner Davis Graham & Stubbs LLP

A little over a year after issuing final guidance on premarket submissions for management of cybersecurity in medical devices, discussed here, the FDA issued draft guidance on postmarket cybersecurity (available here).  The FDA’s stated purpose of this draft guidance, which it just issued, is to clarify “FDA’s postmarket recommendations and [to] emphasizes that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices.”  As cybersecurity threats are continually evolving, the FDA explains that it is not possible to completely mitigate cybersecurity risks solely through premarket controls.  Recognizing that “medical device cybersecurity is a shared responsibility between stakeholders,” the draft guidance addresses both risk management and remediation of cybersecurity threats.  It also discusses the interplay of cybersecurity issues and medical device companies’ reporting requirements, setting forth several examples of what should or should not be reported.

As always, it should be noted that the FDA’s guidance documents are not binding.  They do, however, provide the industry with information on the FDA’s current thinking and approach to the topics the guidance documents address.  This postmarket cybersecurity document is “draft” guidance, which means that it is open for comment before the FDA finalizes it.  Details on submitting comments on this draft guidance are set forth on the first page of the draft guidance.