Imagine you or a loved one has an implanted medical device, such as a heart pacemaker, that may be hacked and controlled by someone other than the manufacturer or your doctor. Someone could conceivably control the device such that you or your loved may be seriously harmed (or worse).
On October 17, 2018, the U.S. Food and Drug Administration issued a draft guidance entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” which provides updated recommendations to the medical device industry on cybersecurity considerations for device design, labeling and documentation that the FDA recommends be included in premarket submissions for medical devices with cybersecurity risk.
The updated draft guidance builds on the framework that the FDA established in its earlier guidance that was finalized in 2014, for helping manufacturers consider cybersecurity in the design and development of their medical devices. The FDA claims that the updated recommendations will facilitate an efficient premarket review process and help ensure that medical devices are designed to sufficiently address cybersecurity threats before the devices are on the market.
The draft guidance incorporates new recommendations, including a “cybersecurity bill of materials,” which is a list of commercial and/or off-the-shelf software and hardware components of a device that could be susceptible to vulnerabilities. Depending on the level of cybersecurity risk associated with a device, the list can be an important resource to help ensure that device users are able to respond quickly to potential threats.
The draft guidance also introduces two tiers of devices — those with higher cybersecurity risk, including implanted devices such as pacemakers or neurostimulation devices, and standard cybersecurity risk, which includes devices that contain software — based on potential harm to patients from cybersecurity threats. The draft guidance outlines the documentation for inclusion in a premarket submission to the agency to demonstrate that the design of the medical device has adequately mitigated risk.
In announcing the draft guidelines, the FDA Commissioner stated, “Cybersecurity threats and vulnerabilities in today’s modern medical devices are evolving to become more apparent and more sophisticated, posing new potential risks to patients and clinical operations. The FDA has been working to stay a step ahead of these changing cybersecurity vulnerabilities, including engaging with external stakeholders. In this way, we can help ensure the health care sector is well positioned to proactively respond when cyber vulnerabilities are identified in products that we regulate. Today’s draft premarket cybersecurity guidance provides updated recommendations for device manufacturers on how they can better protect their products against different types of cybersecurity risks, from ransomware to a catastrophic attack on a health system. We’ve been implementing this guidance since it was finalized in 2014. Now, because of the rapidly evolving nature of cyber threats, we’re updating our guidance to make sure it reflects the current threat landscape so that manufacturers can be in the best position to proactively address cybersecurity concerns when they are designing and developing their devices. This is part of the total product lifecycle approach to device safety, in which manufacturers must adequately address device cybersecurity from the design phase through the device’s time on the market to help ensure patients are protected from cybersecurity threats.”
If you or a loved one suffered harm due to a defective medical device in the United States, you should promptly consult with a medical device claim lawyer in your U.S. state who may investigate your defective medical device claim for you and represent you or your loved one in a medical device claim, if appropriate.
Visit our website or call us toll-free in the United State at 800-295-3959 to find medical device lawyers in your state who may assist you.
Turn to us when you don’t know where to turn.