Alaap B. Shah, Member of the Firm in the Health Care & Life Sciences practice, in the firm’s Washington, DC, office, was quoted in Inside Health Policy Daily News, in “FDA Cyber Guide Provides Key Testing, Documentation Updates,” by David Roza. (Read the full version – subscription required.)

Following is an excerpt:

Medical device experts voiced their approval of FDA’s recent draft guidance that lays out how device manufacturers should address cybersecurity in their premarket submissions. While they welcomed FDA’s thorough list of documents and testing, which they say will give manufacturers a goal to shoot for to make their products more resilient to cybersecurity threats, they also told Inside Health Policy there is still some uncertainty surrounding the draft guidance. Namely, one expert said it is unclear whether industry will actually change its approach to product design, and another found it curious that FDA failed to address postmarket cybersecurity protocols in the draft.

The Oct. 17 premarket draft guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” is billed by FDA as the successor to the agency’s 2014 final guidance of the same name.

The new guidance lays out a long list of recommendations for device cybersecurity capabilities, such as protecting the integrity and privacy of data through encryption, and including routine security and antivirus scans. ...

Alaap Shah with Epstein Becker Green said he would have to wait and see whether manufacturers would actually change their approach to product design, and whether manufacturers will make the cybersecurity features of their products accessible to end users. …

Shah for the most part approved of the recommendations FDA lays out in its draft guidance. He applauded FDA for encouraging manufacturers to include mechanisms to create and store log files in devices in case of a cybersecurity attack. He also approved of FDA emulating the core functions of the National Institute of Standards and Technology’s cybersecurity framework: detection, response and recovery.

“[M]edical device manufacturers have historically ignored cybersecurity risk in product design such that devices were essentially ‘black boxes’ from a cyber risk management perspective,” Shah said. “This guidance aims to make these ‘black boxes’ more transparent to allow for management of cybersecurity risks inherent in such devices.”

Still, Shah said that while this guidance marks an important step for FDA, it represents only the beginning of what will require a sector-wide transformation in order for stakeholders to be more aware of cybersecurity best practices.

“Now we will have to wait and see whether manufacturers can change their approach to product design, and engineer products that take cybersecurity into account,” he said. “Further, assuming they can develop such products, it will be interesting to see if end users will have enough awareness and expertise to effectively manage evolving cyber risks associated with such medical devices. Good premarket cybersecurity design does not necessarily translate into less postmarket cyber risk if the product is not appropriately configured, supported, used and managed over time. It will always be a team effort.”

Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.