By Elizabeth Richards and Kevin Boyle

On June 14, 2013, the Food and Drug Administration (“FDA”) issued a draft guidance entitled, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” (“Guidance”). The Guidance was issued in response to growing concerns about IT vulnerabilities due to the increased use of wireless, Internet and network-connected devices coupled with the frequent electronic exchange of health information. To that end, the Guidance identifies a series of cybersecurity considerations manufacturers should address during the design phase of medical devices and cybersecurity risk mitigation assessments that should be documented in premarket submissions. Comments on the Guidance are due to the FDA by September 12, 2013, providing an opportunity for manufacturers, purchases, practitioners, and patients to shape FDA’s policies in this area.

The Guidance adapts the classic information security triad – confidentiality, integrity, and availability – to medical devices defining cybersecurity as “the process of preventing unauthorized modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.” The Guidance supplements the FDA’s “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices” and “Guidance to Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software.”  

The FDA recommends that manufacturers develop a set of security controls to assure medical device cybersecurity in the classic three core areas. With this, manufacturers should document components of their cybersecurity risk analysis and management plan as part of the risk analysis required under the Quality System Regulation,  including identification of assets, threats, and vulnerabilities; assessment of the threats and vulnerabilities on device functionality; evaluation of the likelihood of a threat; and determination of suitable mitigation strategies. The Agency also encourages manufacturers to consider appropriate security measures to ensure that they are limiting access to trusted users, ensuring trusted content, and implementing fail-safe and recovery measures in the event of a security breach or emergency.

The Guidance concludes with suggestions of specific documentation that manufacturers should provide in their premarket submissions.  This information includes, for example, hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with the device; a “traceability matrix” that links the actual cybersecurity controls to the cybersecurity risks that were considered; a systematic plan for providing validated updates and patches to operating systems or medical device software; appropriate documentation to demonstrate that the device will be provided to purchasers free of malware; and recommended anti-virus software and/or firewall use.

Although FDA’s recommendations in the Guidance are non-binding, they nevertheless provide insight into the specific content FDA expects for premarket submissions of medical devices containing software (including firmware) or programmable logic. To that end,  manufacturers are well-advised to take these recommendations to heart when designing their products and preparing their premarket submissions, so as to reduce the risk that FDA identifies issues during the review that either extend the review time or result in a negative decision. 

This post was prepared with the assistance of Cierra Warren in the Washington, D.C. office of Latham & Watkins.