On December 28, 2016, FDA issued final guidance to inform industry and FDA staff of the Agency’s recommendations for managing postmarket cyber-security vulnerabilities for marketed and distributed medical devices.
The guidance clarifies FDA’s postmarket recommendations with regards to addressing cyber-security vulnerabilities and emphasizes that manufacturers should monitor, identify, and address cyber-security vulnerabilities and exploits as part of the postmarket management of their medical devices.
This guidance clarifies changes to devices to be considered cyber-security routine updates and patches (e.g., certain actions to maintain a controlled risk to health). In addition, the guidance outlines circumstances in which FDA does not intend to enforce reporting requirements under part 806 for specific vulnerabilities with uncontrolled risk. Specifically, FDA does not intend to enforce the reporting requirements when circumstances outlined in the guidance are met within the predefined periods of time.