January 18, 2022

Volume XII, Number 18


Device Advice: New Guidance From the FDA on Medical Devices and Cybersecurity

Are medical devices, subject to pre- and post-market regulatory controls, under increasing cybersecurity scrutiny? The FDA recently published recommendations for consideration of cybersecurity management in a product’s design and development phases, and in preparation of pre-market submissions.[1] While the agency emphasizes that it has issued a guidance document containing only nonbinding recommendations, is there an underlying expectation that manufacturers address—and that agency staff assess— such planning as part of the approval process?

The guidance sets forth a five-function framework for approaching cybersecurity in design and development, borrowed from the National Institute of Standards and Technology: Identify, Protect, Detect, Respond, and Recover. Essentially, this framework promotes risk management through a continuous process of identifying, evaluating, and responding to vulnerabilities. The FDA highlights some specific controls for consideration, including the capability to limit access to trusted users, ensure trusted content, protect critical functionality, and provide for recovery following a security compromise.

Where does risk tolerance fit in? According to the publication, “[t]he extent to which security controls are needed will depend on the device’s intended use, the presence and intent of its electronic data interfaces, its intended environment of use, the type of cybersecurity vulnerabilities present, the likelihood the vulnerability will be exploited (either intentionally or unintentionally), and the probable risk of patient harm due to a cybersecurity breach.”

Also included in the guidance is a list of security-related processes, documentation of which is recommended as part of a device’s pre-market submission. Manufacturers, recommends the FDA, should provide:

  • A hazard analysis pertaining to intentional and unintentional risks associated with the device;

  • A list of the security controls chosen, and a justification for selection;

  • A traceability matrix linking controls to risks;

  • Summary plans pertaining to risk management throughout the device lifecycle; and

  • Instructions for use and product specifications of recommended controls for the intended use environment.

Healthcare organizations, too, may be interested in the FDA guidance as procurement considerations. Increased awareness of controls built into the design and development phases, as well as ongoing vulnerabilities, may simplify organizational and patient risk management.

[1] A copy of the guidance is available here.

Rachel Landauer contributed to this article.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume IV, Number 287

About this Author

Lynsey Mitchel Corporate Attorney Sheppard Mullin Century City, CA

Lynsey Mitchel is a partner in the Corporate Practice Group in the firm's Century City office, a leader of the Health Plan Practice and a member of the firm's Healthcare team.

Areas of Practice

Lynsey represents health maintenance organizations, managed care organizations, medical groups, hospitals, home health providers, medical device retailers and other healthcare entities and providers.

Lynsey has deep expertise in managed care, including HMO regulatory matters and has assisted numerous clients to obtain HMO licensure as healthcare service plans under California’...


Vinay Bhupathy’s health care practice bridges the gap between regulatory and transaction law and he represents all manner of healthcare entities from providers such as hospitals and physician groups to payors and health information technology companies.