On January 22, the Food and Drug Administration issued a draft industry guidance outlining the FDA's recommendations to the medical device industry with respect to addressing postmarket cybersecurity risks to patients. The FDA's draft guidance, entitled "Postmarket Management of Cybersecurity in Medical Devices," addresses the FDA's observation that an increasing number of medical devices are designed to be virtually connected and networked to facilitate treatment. Networked medical devices, like other connected electronic devices, are vulnerable to cybersecurity attacks, which represent a significant risk to patient safety and to the effectiveness of the devices.

The guidance sets forth the FDA's recommendation that medical device manufacturers monitor and address cybersecurity risks as part of the postmarket management of their products, and encourages manufacturers to incorporate cybersecurity monitoring throughout the design, development, production and distribution lifecycle of their products. According to the guidance, many of the actions taken by medical device manufacturers to address cybersecurity threats to their products will be considered routine updates or patches which will not require advance notification or reporting to the FDA; however, any action taken that modifies the essential clinical performance of a medical device and presents a "reasonable probability of serious adverse health consequences or death" will require advance notification to the FDA.

The recommendations set forth in the draft guidance are limited to medical devices that contain software or programmable logic and software that is a medical device. The FDA will be accepting public comments on the guidance for approximately 90 days.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.