On January 15, 2016, the U.S. Food and Drug Administration (FDA) announced in a Press Release that it would issue draft guidance on January 22 outlining “steps medical device manufacturers should take to continually address cybersecurity risks” to confront “vulnerabilities in medical devices once they have entered the market.” FDA published a Notice in the Federal Register on January 22 and has requested public comments within 90 days, by April 20, 2016. FDA issued this guidance in advance of a public workshop, entitled “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity” that was webcast and archived on FDA’s website.

This new postmarket draft guidance builds on FDA’s October 2014 “nonbinding” cybersecurity guidance that encouraged medical device manufacturers to develop and incorporate cybersecurity controls into medical devices at the premarket design stage. As was the case in October 2014, FDA bills this new postmarket cybersecurity draft guidance as “not binding on FDA or the public” and states that regulated entities may use “an alternative approach [to cybersecurity risk management] if it satisfies the requirements of the applicable statutes and regulations.” That said, FDA’s most recent draft guidance makes clear that it will employ its enforcement resources to police cybersecurity issues in marketed medical devices where a known cybersecurity vulnerability seriously impacts public health.