On December 28, 2016, the Food and Drug Administration (FDA) issued guidance on Postmarket Management of Cybersecurity in Medical Devices. The guidance clarified aspects of the reporting requirements under Part 806 (21 CFR part 806), which require device manufacturers and importers to report certain device corrections and removals to the FDA. Most actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered “routine updates and patches” that do not require advance notification or reporting. However, actions taken by manufacturers to correct device cybersecurity vulnerabilities and exploits that may pose a risk to health must be reported to the Agency. The guidance:
-
Clarified the changes to devices that are considered cybersecurity routine updates and patches (e.g., certain actions to maintain a controlled risk to health); and
-
Outlined circumstances where FDA does not intend to enforce reporting requirements under Part 806 for specific vulnerabilities with uncontrolled risk.
Specifically, that FDA does not intend to enforce the reporting requirements when circumstances outlined in the guidance are met within the predefined periods of time. The Agency provided the following example of a situation where it would not enforce reporting requirements, where the manufacturer: a) communicates a vulnerability to customers and the user community and propose a timeline for remediation within 30 days after learning of the vulnerability;
-
b) fixes the vulnerability and validate the change within 60 days after learning of the vulnerability; and c) actively participates in an Information Sharing Analysis Organization (ISAO).
The FDA emphasized that it considers voluntary participation in an Information ISAO a critical component of a comprehensive proactive approach to management of postmarket cybersecurity threats and vulnerabilities, and a significant step towards assuring the ongoing safety and effectiveness of marketed medical devices.
[View source.]
