The U.S. Food and Drug Administration recently became one of a number of federal agencies to adopt the National Institute of Standards and Technology’s (“NIST”) core cybersecurity framework.  On October 2, 2014, FDA issued final guidance on the content of premarket submissions for the management of cybersecurity in medical devices.  The final guidance sets forth recommendations for the design and development of medical devices, as well as the preparation of premarket submissions, that are intended to reduce the likelihood that medical devices will be compromised as a result of inadequate cybersecurity.  Although the final guidance is not binding, it is broadly applicable—the recommendations apply to device manufacturers submitting premarket applications and notifications (including 510(k) notifications), as well as to manufacturers implementing the requirements under the Quality System Regulation.   The guidance supplements other standards generally applicable to software included in medical devices, as well as specific standards addressing cybersecurity risks in medical devices containing off-the-shelf software.

In addition to adopting the NIST core cybersecurity framework, which FDA recently agreed to promote in a Memorandum of Understanding with the National Health Information Sharing and Analysis Center, the final guidance sets forth concrete recommendations specifically applicable to medical devices.  The final guidance suggests, for example, that device manufacturers put systems in place to detect compromises and implement safeguards to preserve critical functionality and recover previous configurations.  The final guidance also recommends that device manufacturers track all cybersecurity risks considered in the design of a device and justify in premarket submissions the safeguards put in place to addresses identified risks.  Specifically, the final guidance recommends that manufacturers justify a decision to use a particular security function, such as the use of one among many authentication processes or methods of securing the transfer of data.

The final guidance also suggests that device manufacturers implement plans to provide and validate software updates throughout the life of a medical device.  FDA’s guidance on off-the-shelf software establishes FDA’s position that device manufacturers have an obligation under the Quality System Regulation to provide systematic software updates to respond to identified risks.  However, the final guidance indicates that software updates will not typically need to be subject to FDA review when their sole purpose is to strengthen the cybersecurity of a medical device.

Recognizing unique features of medical devices that may need to be taken into account when assessing cybersecurity risks, the final guidance recommends that manufacturers balance the benefit of increased safeguards with the usability of a medical device.  For example, the final guidance suggests that device manufacturers consider the need to access a device in emergency situations when establishing authentication procedures.  A previous report by the U.S. Government Accountability Office on information security risks to medical devices also suggests that device manufacturers consider the risk that additional safeguards could lead to decreased battery life, which could result in a need for more frequent surgical procedures to replace batteries in implantable devices, as well as the risk of unforeseen consequences as a result of new software updates.

Although the final guidance only applies to device manufacturers, the NIST cybersecurity framework is becoming increasingly relevant to a number of industries.  In particular, NIST is currently seeking input from a variety of  industries about best practices for managing cyber risks in the supply chain and the U.S. General Services Administration is seeking industry participation in new working groups exploring how to integrate cyber protections into the federal acquisition process.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government…

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency (DCAA), Inspectors General (IG), and the Department of Justice with regard to those investigations.  From 2008 to 2012, Ms. Cassidy served as in-house counsel at Northrop Grumman Corporation, one of the world’s largest defense contractors, supporting both defense and intelligence programs. Previously, Ms. Cassidy held an in-house position with Motorola Inc., leading a team of lawyers supporting sales of commercial communications products and services to US government defense and civilian agencies. Prior to going in-house, Ms. Cassidy was a litigation and government contracts partner in an international law firm headquartered in Washington, DC.

Photo of Jennifer Plitsch Jennifer Plitsch

Jennifer Plitsch leads the firm’s Government Contracts Practice Group, where she works with clients on a broad range of issues arising from both defense and civilian contracts including contract proposal, performance, and compliance questions as well as litigation, transactional, and legislative issues.

She…

Jennifer Plitsch leads the firm’s Government Contracts Practice Group, where she works with clients on a broad range of issues arising from both defense and civilian contracts including contract proposal, performance, and compliance questions as well as litigation, transactional, and legislative issues.

She has particular expertise in advising clients on intellectual property and data rights issues under the Federal Acquisition Regulations (FAR) and obligations imposed by the Bayh-Dole Act, including march-in and substantial domestic manufacturing. Jen also has significant experience in negotiation and compliance under non-traditional government agreements including Other Transaction Authority agreements (OTAs), Cooperative Research and Development Agreements (CRADAs), Cooperative Agreements, Grants, and Small Business Innovation Research agreements.

For over 20 years, Jen’s practice has focused on advising clients in the pharmaceutical, biologics and medical device industry on all aspects of both commercial and non-commercial agreements with various government agencies including:

  • the Department of Veterans Affairs (VA);
  • the Department of Health and Human Services (HHS), including the Biomedical Advanced Research and Development Authority (BARDA), the National Institutes of Health (NIH), and the Centers for Disease Control (CDC);
  • the Department of Defense (DoD), including the Defense Threat Reduction Agency (DTRA), the Defense Advanced Research Projects Agency (DARPA), and the Joint Program Executive Office for Chemical Biological Defense (JPEO-CBRN); and
    the U.S. Agency for International Development (USAID).

She regularly advises on the development, production, and supply to the government of vaccines and other medical countermeasures addressing threats such as COVID-19, Ebola, Zika, MERS-CoV, Smallpox, seasonal and pandemic influenza, tropical diseases, botulinum toxin, nerve agents, and radiation events. In addition, for commercial drugs, biologics, and medical devices, Jen advises on Federal Supply Schedule contracts, including the complex pricing requirements imposed on products under the Veterans Health Care Act, as well as on the obligations imposed by participation in the 340B Drug Pricing program.

Jen also has significant experience in domestic sourcing compliance under the Buy American Act (BAA) and the Trade Agreements Act (TAA), including regulatory analysis and comments, certifications, investigations, and disclosures (including under the Acetris decision and Biden Administration Executive Orders). She also advises on prevailing wage requirements, including those imposed through the Davis-Bacon Act and the Service Contract Labor Standards.