The U.S. Food and Drug Administration recently became one of a number of federal agencies to adopt the National Institute of Standards and Technology’s (“NIST”) core cybersecurity framework.  On October 2, 2014, FDA issued final guidance on the content of premarket submissions for the management of cybersecurity in medical devices.  The final guidance sets forth recommendations for the design and development of medical devices, as well as the preparation of premarket submissions, that are intended to reduce the likelihood that medical devices will be compromised as a result of inadequate cybersecurity.  Although the final guidance is not binding, it is broadly applicable—the recommendations apply to device manufacturers submitting premarket applications and notifications (including 510(k) notifications), as well as to manufacturers implementing the requirements under the Quality System Regulation.   The guidance supplements other standards generally applicable to software included in medical devices, as well as specific standards addressing cybersecurity risks in medical devices containing off-the-shelf software.

In addition to adopting the NIST core cybersecurity framework, which FDA recently agreed to promote in a Memorandum of Understanding with the National Health Information Sharing and Analysis Center, the final guidance sets forth concrete recommendations specifically applicable to medical devices.  The final guidance suggests, for example, that device manufacturers put systems in place to detect compromises and implement safeguards to preserve critical functionality and recover previous configurations.  The final guidance also recommends that device manufacturers track all cybersecurity risks considered in the design of a device and justify in premarket submissions the safeguards put in place to addresses identified risks.  Specifically, the final guidance recommends that manufacturers justify a decision to use a particular security function, such as the use of one among many authentication processes or methods of securing the transfer of data.

The final guidance also suggests that device manufacturers implement plans to provide and validate software updates throughout the life of a medical device.  FDA’s guidance on off-the-shelf software establishes FDA’s position that device manufacturers have an obligation under the Quality System Regulation to provide systematic software updates to respond to identified risks.  However, the final guidance indicates that software updates will not typically need to be subject to FDA review when their sole purpose is to strengthen the cybersecurity of a medical device.

Recognizing unique features of medical devices that may need to be taken into account when assessing cybersecurity risks, the final guidance recommends that manufacturers balance the benefit of increased safeguards with the usability of a medical device.  For example, the final guidance suggests that device manufacturers consider the need to access a device in emergency situations when establishing authentication procedures.  A previous report by the U.S. Government Accountability Office on information security risks to medical devices also suggests that device manufacturers consider the risk that additional safeguards could lead to decreased battery life, which could result in a need for more frequent surgical procedures to replace batteries in implantable devices, as well as the risk of unforeseen consequences as a result of new software updates.

Although the final guidance only applies to device manufacturers, the NIST cybersecurity framework is becoming increasingly relevant to a number of industries.  In particular, NIST is currently seeking input from a variety of  industries about best practices for managing cyber risks in the supply chain and the U.S. General Services Administration is seeking industry participation in new working groups exploring how to integrate cyber protections into the federal acquisition process.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Susan B. Cassidy

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government…

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency (DCAA), Inspectors General (IG), and the Department of Justice with regard to those investigations.  From 2008 to 2012, Ms. Cassidy served as in-house counsel at Northrop Grumman Corporation, one of the world’s largest defense contractors, supporting both defense and intelligence programs. Previously, Ms. Cassidy held an in-house position with Motorola Inc., leading a team of lawyers supporting sales of commercial communications products and services to US government defense and civilian agencies. Prior to going in-house, Ms. Cassidy was a litigation and government contracts partner in an international law firm headquartered in Washington, DC.

Photo of Jennifer Plitsch Jennifer Plitsch

Jennifer Plitsch is co-chair of the firm’s Government Contracts practice group. Her practice includes a wide range of contracting issues for large and small businesses in both defense and civilian contracting. Her practice involves advising clients on contract proposal, performance, and compliance questions…

Jennifer Plitsch is co-chair of the firm’s Government Contracts practice group. Her practice includes a wide range of contracting issues for large and small businesses in both defense and civilian contracting. Her practice involves advising clients on contract proposal, performance, and compliance questions as well as transactional and legislative issues. Her practice also includes bid protest and contract claims and appeals litigation before GAO, agency boards and the federal courts. Ms. Plitsch has particular expertise in advising clients in the pharmaceutical and biologics industry. She advises a range of pharmaceutical and biologics manufacturers on Federal Supply Schedule contracts, including the complex pricing requirements imposed on products under the Veterans Health Care Act, as well as research and development contracts and grants with various federal agencies. She also has significant experience advising on the requirements of various programs under which vaccine products and biodefense medical countermeasures are procured by the Government.

Photo of Tyler Evans Tyler Evans

Tyler Evans is a partner in the firm’s Washington, D.C. office and a member of the government contracts group.  His practice covers multiple subject-matter areas, including research and development, non-traditional contracting, intellectual property, contract negotiations, flow-down requirements, small business issues, sourcing restrictions, costs…

Tyler Evans is a partner in the firm’s Washington, D.C. office and a member of the government contracts group.  His practice covers multiple subject-matter areas, including research and development, non-traditional contracting, intellectual property, contract negotiations, flow-down requirements, small business issues, sourcing restrictions, costs, and compliance.