On July 25 and 26, 2016, industry stakeholders assembled in Arlington, Virginia, to participate in the Medical Device Cybersecurity Risk Mitigation Conference sponsored by Q1 Productions.  The conference focused on the importance of cybersecurity for medical device manufacturers throughout the life cycle of products, covering topics such as establishing and conducting cybersecurity risk assessments and managing cybersecurity vulnerabilities.  King & Spalding attorneys John Richter and Nick Oldham served as panelists for an open discussion regarding cybersecurity regulatory guidance from the U.S. Food and Drug Administration (“FDA”) in a session that also featured panelists from the FDA and the medical device industry.  Richter and Oldham further presented on medical device cybersecurity risks leading to regulatory action. 

The panel and presentation discussed FDA regulations and enforcement, noting that the agency views cybersecurity and medical devices as part of the current good manufacturing practices (“cGMP”) regulations (21 C.F.R. pt. 820).  In other words, the FDA’s activity in the cybersecurity space must be considered together with the agency’s existing regulatory prerogatives, which permit the FDA to take administrative and judicial actions “to protect the public from dangerous and illegal products, to punish persons and companies who violate the law, and to deter violations.”  Such actions can include product recalls, debarment of individuals or companies convicted of felonies, withdrawals of product approvals, license revocations, disqualification of clinical investigators, and judicial actions in concert with the U.S. Department of Justice (“DOJ”).  The panel and presentation noted that violations of cGMP can lead to criminal or civil enforcement by DOJ pursuant to the Federal Food, Drug, and Cosmetic Act, and some criminal violations are strict liability offenses.

With respect to cybersecurity guidance from the agency, the panel and presentation pointed out that since 2013, the FDA has recommended that device manufacturers and health care facilities take measures to reduce the risk that devices fail or malfunction due to cyber-attack.  In October 2014, the agency issued detailed guidance encouraging device makers to implement cybersecurity measures at the premarket stage, including developing controls to ensure security of devices with internet connections while maintaining device functionality and safety.  Additionally, the 2014 guidance—which was non-binding—encouraged makers to submit documentation to the FDA as part of their premarket submissions, specifically pointing to 21 C.F.R. § 820.30(g), although it does not specifically mention cybersecurity.

The panel and presentation also covered the FDA’s postmarket draft guidance released in January 2016, which focused on how device makers can address cybersecurity issues after devices have entered the market.  In the guidance, the FDA notes that there is a shared responsibility for managing cyber-risks among manufacturers, users, and various IT personnel.  The draft guidance also describes the components of a medical device cyber risk management program that can effectively identify and remediate cyber vulnerabilities.  If a vulnerability is identified, the draft guidance indicates that a manufacturer must determine if the vulnerability triggers patient safety concerns, an analysis that requires a risk assessment of the exploitability of the vulnerability and the seriousness of the health impact if the vulnerability were to be exploited.  Based on this assessment, relevant risk can be categorized as either controlled (acceptable residual risk) or uncontrolled (unacceptable residual risk).  The FDA’s draft guidance was open to comment until April 21, 2016, and the FDA has not yet released a final version.

While the FDA has provided guidance, Richter and Oldham emphasized that the guidance is not binding and that the FDA has all the authority it needs to pursue cybersecurity risks through the cGMP.  In light of increased FDA and DOJ scrutiny, Richter and Oldham commented that companies should be focusing their approach to cGMP with potential regulatory enforcement in mind.  Device makers should take a hard look at their manufacturing, quality, and cGMP compliance programs—including cyber risk components—before they come under the microscope of a government investigation.  Senior management must reinforce the importance of cGMP throughout their organizations and companies must also establish an independent quality assurance function.