FDA Issues Draft Guidance: Postmarket Cybersecurity for Medical Devices

Jordan Lipp | Partner Davis Graham & Stubbs LLP

A little over a year after issuing final guidance on premarket submissions for management of cybersecurity in medical devices, discussed here, the FDA issued draft guidance on postmarket cybersecurity (available here).  The FDA’s stated purpose of this draft guidance, which it just issued, is to clarify “FDA’s postmarket recommendations and [to] emphasizes that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices.”  As cybersecurity threats are continually evolving, the FDA explains that it is not possible to completely mitigate cybersecurity risks solely through premarket controls.  Recognizing that “medical device cybersecurity is a shared responsibility between stakeholders,” the draft guidance addresses both risk management and remediation of cybersecurity threats.  It also discusses the interplay of cybersecurity issues and medical device companies’ reporting requirements, setting forth several examples of what should or should not be reported. Continue reading “FDA Issues Draft Guidance: Postmarket Cybersecurity for Medical Devices”