The U.S. Food and Drug Administration recently became one of a number of federal agencies to adopt the National Institute of Standards and Technology’s (“NIST”) core cybersecurity framework.  On October 2, 2014, FDA issued final guidance on the content of premarket submissions for the management of cybersecurity in medical devices.  The final guidance sets forth recommendations for the design and development of medical devices, as well as the preparation of premarket submissions, that are intended to reduce the likelihood that medical devices will be compromised as a result of inadequate cybersecurity.  Although the final guidance is not binding, it is broadly applicable—the recommendations apply to device manufacturers submitting premarket applications and notifications (including 510(k) notifications), as well as to manufacturers implementing the requirements under the Quality System Regulation.   The guidance supplements other standards generally applicable to software included in medical devices, as well as specific standards addressing cybersecurity risks in medical devices containing off-the-shelf software.

In addition to adopting the NIST core cybersecurity framework, which FDA recently agreed to promote in a Memorandum of Understanding with the National Health Information Sharing and Analysis Center, the final guidance sets forth concrete recommendations specifically applicable to medical devices.  The final guidance suggests, for example, that device manufacturers put systems in place to detect compromises and implement safeguards to preserve critical functionality and recover previous configurations.  The final guidance also recommends that device manufacturers track all cybersecurity risks considered in the design of a device and justify in premarket submissions the safeguards put in place to addresses identified risks.  Specifically, the final guidance recommends that manufacturers justify a decision to use a particular security function, such as the use of one among many authentication processes or methods of securing the transfer of data.

The final guidance also suggests that device manufacturers implement plans to provide and validate software updates throughout the life of a medical device.  FDA’s guidance on off-the-shelf software establishes FDA’s position that device manufacturers have an obligation under the Quality System Regulation to provide systematic software updates to respond to identified risks.  However, the final guidance indicates that software updates will not typically need to be subject to FDA review when their sole purpose is to strengthen the cybersecurity of a medical device.

Recognizing unique features of medical devices that may need to be taken into account when assessing cybersecurity risks, the final guidance recommends that manufacturers balance the benefit of increased safeguards with the usability of a medical device.  For example, the final guidance suggests that device manufacturers consider the need to access a device in emergency situations when establishing authentication procedures.  A previous report by the U.S. Government Accountability Office on information security risks to medical devices also suggests that device manufacturers consider the risk that additional safeguards could lead to decreased battery life, which could result in a need for more frequent surgical procedures to replace batteries in implantable devices, as well as the risk of unforeseen consequences as a result of new software updates.

Although the final guidance only applies to device manufacturers, the NIST cybersecurity framework is becoming increasingly relevant to a number of industries.  In particular, NIST is currently seeking input from a variety of  industries about best practices for managing cyber risks in the supply chain and the U.S. General Services Administration is seeking industry participation in new working groups exploring how to integrate cyber protections into the federal acquisition process.