On Tuesday, December 23, the FDA released their final guidance document on “Postmarket Management of Cybersecurity in Medical Devices.” The document outlines the Agency's recommendations for managing postmarket cybersecurity weaknesses for marketed and distributed medical devices that are already on the market, considered part of an interoperable system, and contain software or programmable logic.
The guidance meets the following objectives:
1. clarifies the FDA’s recommendations for managing postmarket cybersecurity vulnerabilities;
2. emphasizes that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices;
3. establishes a risk-based framework for assessing when changes to medical devices for cybersecurity vulnerabilities require reporting to the FDA; and
4. outlines circumstances in which FDA does not intend to enforce reporting requirements under 21 CFR, part 806.