The FDA has released the final guidance document "Postmarket Management of Cybersecurity in Medical Devices." This final guidance informs industry and the FDA staff of the Agency’s recommendations for managing postmarket cybersecurity vulnerabilities for marketed and distributed medical devices.
The final guidance also meets the following objectives:
- clarifies the FDA’s recommendations for managing postmarket cybersecurity vulnerabilities;
- emphasizes that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices;
- establishes a risk-based framework for assessing when changes to medical devices for cybersecurity vulnerabilities require reporting to the FDA; and
- outlines circumstances in which FDA does not intend to enforce reporting requirements under 21 CFR, part 806.
It is important to note that the recommendations in this final guidance apply to marketed and distributed medical devices that:
- are already on the market or in use (also known as “legacy devices”),
- are considered part of an interoperable system (allowing for multiple technology systems and software applications to communicate and exchange data),
- contain software, programmable logic; or
- contain software that is a medical device (including mobile medical applications).
WEBINAR: On Thursday, January 12, 2017, the FDA will host a webinar for industry to discuss and answer questions about this final guidance.
To ensure you are connected, please dial-in 15 minutes prior to the start of the webinar.
Following the webinar, a transcript, recording and slides will be available at: http://www.fda.gov/CDRHWebinar. The slide presentation will also be available at this site on the morning of the webinar.
If you have any questions regarding this guidance document, please contact CDRH’s Division of Industry and Consumer Education (DICE) at DICE@fda.hhs.gov, or via phone at 1-800-638-2041, or 301-796-7100.