January 25, 2020

January 24, 2020

Subscribe to Latest Legal News and Analysis

January 23, 2020

Subscribe to Latest Legal News and Analysis

January 22, 2020

Subscribe to Latest Legal News and Analysis

Device Advice: New Guidance From the FDA on Medical Devices and Cybersecurity

Are medical devices, subject to pre- and post-market regulatory controls, under increasing cybersecurity scrutiny? The FDA recently published recommendations for consideration of cybersecurity management in a product’s design and development phases, and in preparation of pre-market submissions.[1] While the agency emphasizes that it has issued a guidance document containing only nonbinding recommendations, is there an underlying expectation that manufacturers address—and that agency staff assess— such planning as part of the approval process?

The guidance sets forth a five-function framework for approaching cybersecurity in design and development, borrowed from the National Institute of Standards and Technology: Identify, Protect, Detect, Respond, and Recover. Essentially, this framework promotes risk management through a continuous process of identifying, evaluating, and responding to vulnerabilities. The FDA highlights some specific controls for consideration, including the capability to limit access to trusted users, ensure trusted content, protect critical functionality, and provide for recovery following a security compromise.

Where does risk tolerance fit in? According to the publication, “[t]he extent to which security controls are needed will depend on the device’s intended use, the presence and intent of its electronic data interfaces, its intended environment of use, the type of cybersecurity vulnerabilities present, the likelihood the vulnerability will be exploited (either intentionally or unintentionally), and the probable risk of patient harm due to a cybersecurity breach.”

Also included in the guidance is a list of security-related processes, documentation of which is recommended as part of a device’s pre-market submission. Manufacturers, recommends the FDA, should provide:

  • A hazard analysis pertaining to intentional and unintentional risks associated with the device;

  • A list of the security controls chosen, and a justification for selection;

  • A traceability matrix linking controls to risks;

  • Summary plans pertaining to risk management throughout the device lifecycle; and

  • Instructions for use and product specifications of recommended controls for the intended use environment.

Healthcare organizations, too, may be interested in the FDA guidance as procurement considerations. Increased awareness of controls built into the design and development phases, as well as ongoing vulnerabilities, may simplify organizational and patient risk management.

[1] A copy of the guidance is available here.

Rachel Landauer contributed to this article.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.


About this Author

Lynsey Mitchel, Attorney, Sheppard Mullin, Corporate Practice

Lynsey Mitchel is an associate in the Corporate Practice Group in the firm's Century City office and is a member of the firm's healthcare practice team.

Areas of Practice

Lynsey represents hospitals, managed care organizations, medical groups, pharmacies, home health providers, medical device retailers and other health care entities and providers. 

Lynsey has deep expertise in HMO regulatory matters and has assisted numerous clients to obtain HMO licensure as health care service plans under California’s Knox-Keene Health Care Service Plan Act. Lynsey...


Vinay Bhupathy’s health care practice bridges the gap between regulatory and transaction law and he represents all manner of healthcare entities from providers such as hospitals and physician groups to payors and health information technology companies.