Medical Device Makers Urged to Beef Up Product Cybersecurity

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By Michael D. Williamson

Medical device makers should monitor, identify and address cybersecurity vulnerabilities as part of the postmarket strategy for their products, the FDA said Dec. 27.

The Food and Drug Administration’s recommendation applies to all devices already on the market, according to an agency guidance document, which is dated Dec. 28. The document also establishes a framework for assessing when changes to medical devices for cybersecurity vulnerabilities require reporting to the FDA and outlines circumstances in which the agency doesn’t intend to enforce reporting requirements.

Many in the device industry have urged the FDA to clarify when manufacturers need to notify the agency about software updates that seek to strengthen a product’s cybersecurity, which are constantly evolving based on new information and technology. Some changes made to bolster a device’s cybersecurity could require manufacturers to seek a new market clearance or approval from the FDA, which can be costly and time consuming.

The document should be good for industry, Theodore Sullivan, a Washington-based attorney at Quarles & Brady LLP, told Bloomberg BNA Dec. 27. “It is a pretty common-sense guidance that recognizes the value of permitting correction of most cybersecurity vulnerabilities without undue burdensome reporting requirements.”

A notice (Docket No. FDA-2015-D-5105) announcing the guidance’s availability is scheduled for publication in the Dec. 28 Federal Register. The FDA will accept comments on the document at any time.

Attorney’s Take

Sullivan, who represents several software developers, said he liked the document for several reasons. For example, it’s helpful the FDA actually provided a great deal of actionable guidance in the document, which isn’t always the case, he said.

In addition, Sullivan said the document offers fairly clear information on when software updates to address cybersecurity vulnerabilities aren’t reportable, he told Bloomberg BNA. Further, the document outlines the FDA’s plans to use enforcement discretion for companies that update products for significant security concerns, if certain steps are followed, Sullivan said.

Overall, the guidance strikes a nice middle ground of addressing device cybersecurity issues without placing too much burden on software developers or the FDA, Sullivan said.

The new guidance document isn’t vastly different from the draft guidance document the FDA released in January 2016, according to Sullivan. The earlier draft’s release didn’t cause a great uproar among his software developer clients, he noted.

January Webinar

The FDA is planning a Jan. 12 webinar to answer questions on the guidance document, the agency said on its website. No registration is necessary to participate.

To contact the reporter on this story: Michael D. Williamson in Washington at

To contact the editor responsible for this story: Brian Broderick at

For More Information

The guidance document is at

The notice is at

Details about the webinar are at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Health Care on Bloomberg Law