The Food and Drug Administration (“FDA”) has greatly increased its activity around cybersecurity initiatives and medical devices. As we approach the end of the year, this is a great opportunity to review recent developments.
FDA Medical Device Cybersecurity Guidance
On October 18, 2018, the FDA published draft guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” This draft replaces prior guidance from 2014, and the outlines recommendations for device design, data confidentiality, labeling conventions, and cybersecurity documentation. Key requirements include:

  • Risk-based categorization of devices into two tiers (based primarily upon device connectivity and risk of cybersecurity incidents);
  • Preparation of a cybersecurity bill of materials listing device components that could be vulnerable to cybersecurity incidents;
  • Recommendations such as requiring authentication before software or firmware updates; and
  • Application of the NIST Cybersecurity Framework.

The public comment period will end on March 18, 2019, and there will be a workshop open to the public on January 29-30. Industry professionals should take this opportunity to determine the effects this guidance could have on device approval in the future and consider commenting.

Partnership with Department of Homeland Security
The FDA and the Department of Homeland Security (DHS) announced on October 16, 2018 that the parties had entered into a memorandum of agreement (MOA) for Medical Device Cybersecurity Collaboration. The FDA’s press release described the agreement between FDA’s Center for Devices and Radiological Health (CDRH) and DHS’ National Protection and Programs Directorate (NPPD) as “meant to encourage even greater coordination and information sharing about potential or confirmed medical device cybersecurity vulnerabilities and threats.” Under the agreement, NPPD shall serve as the central medical device vulnerability coordination center, provide independent third party assistance to the FDA for technical assessments, and share information. The FDA shall coordinate regular communications with NPPD regarding cybersecurity vulnerabilities and threats, make cybersecurity vulnerability assessments, and share information.
Cybersecurity Playbook: Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook
On October 1, 2018, the MITRE Corporation released the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook developed in collaboration with the FDA and industry stakeholders. MITRE is a nonprofit that operates federally funded research and development centers and has assisted the FDA with growing its cybersecurity program at CDRH. The Playbook responds to concerns by industry stakeholders, including medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs), that they needed additional information and resources on how to respond to cybersecurity incidents such as the WannaCry event. It includes a customizable framework with recommendations that HDOs can use to “leverage as a part of their emergency response plans” to minimize patient care disruptions and harm that could occur from a medical device cybersecurity incident. Topics covered include items such as medical device procurement; hazard vulnerability analysis incident response training; detection and analysis; containment, eradication, and recovery; and post activity efforts.
Digital Health Precertification Program
On June 19, 2018, the FDA released the second version of its Pre-Certificate (“Pre-Cert”) Working Model that takes into consideration comments received on the April 2018 version. The agency accepted comments on the model until July 18, 2018. The goal, as outlined in the agency’s Digital Health Innovation Plan, is to develop a voluntary Pre-Cert program that would facilitate faster review of certain product submissions from pre-approved software and digital health firms and developers. The initial pilot program has been limited to software as a medical device (SaMD) but the second version of the framework indicates FDA may extend the program to software in a device (SiMD) and accessories to medical device hardware in the future. Pre-Cert 1.0 may be released as early as the end of 2018 with anticipated pilot testing in 2019.
Partnerships with Ethical Hackers
The FDA has recently pursued partnerships with ethical hackers in order to improve cybersecurity efforts with medical devices. This was highlighted by the recent discovery of a flaw in a Medtronic pacemaker that rendered the device vulnerable to hacking. Two cybersecurity researchers initially found the flaw and brought it to Medtronic and FDA’s attention. In a statement to media, the director of the FDA’s CDRH indicated the FDA plans to continue developing relationships with cybersecurity researchers.
Promoting the Use of Artificial Intelligence
FDA is moving toward approval of medical devices with artificial intelligence, and Commissioner Scott Gottlieb indicated in a speech earlier this year that the agency is working to develop “a new regulatory framework to promote innovation in this space and support the use of AI-based technologies.” Recent approvals by the agency have included a diagnostic system for diabetic retinopathy, clinical decision support software for strokes, and a program to assist medical professionals in detecting wrist fractures. A noteworthy characteristic of the approved diabetic retinopathy diagnostic system is that it does not require any additional layer of review by a medical professional. Future approvals could work in coordination with the Pre-Cert program.

Photo of Elliot Golding Elliot Golding

Elliot Golding (CIPP/US) is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other

Elliot Golding (CIPP/US) is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He has been selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, representing the best of the data law bar around the world.

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs, drafting privacy and security policies, preparing and testing data breach response plans, and negotiating complex data agreements. He not only counsels clients about what the law currently requires, but also provides industry context and forward-looking advice that takes into account trends and best practices in developing areas, such as the Internet of Things and complying with the California Consumer Privacy Act. In particular, Elliot helps clients understand how personal information may be used and disclosed to support business needs so that companies can stay competitive and compliant in a rapidly evolving environment.

Elliot has also managed hundreds of breach response matters for companies through all aspects of investigation, notification, remediation and engagement with regulators (including federal regulators such as the Office of Civil Rights [OCR] and State Attorneys General). Elliot has defended clients in litigation by State Attorneys General under state security breach notification laws and the Health Insurance Portability and Accountability Act (HIPAA) and has helped clients successfully avoid enforcement actions altogether by working directly with regulators during investigations.

View full website bio.