FDA

By Christopher Hanson

On December 28, 2016, CDRH announced the publication of the final guidance “Postmarket Management of Cybersecurity in Medical Devices.”  In a separate post, we reported on the January 22, 2016 draft version of this guidance document.  The final guidance provides FDA’s recommendations on a risk-based framework for medical device manufacturers to assess and remediate cybersecurity vulnerabilities.  The guidance also outlines circumstances in which the Agency intends to exercise enforcement discretion with respect to the requirements of 21 C.F.R. Part 806 to report actions related to cybersecurity vulnerabilities as device corrections and removals.

We highlight below key ways the final guidance document differs from the earlier draft version:
Continue Reading CDRH Releases Postmarket Cybersecurity Final Guidance

Last month, the FDA released a draft guidance document on the sharing of patient-specific data associated with medical devices, including information recorded, stored, processed, retrieved, and/or derived from the device.  A new post on Covington’s Inside Medical Devices blog discusses the draft guidance and its implications for sharing patient information.

By Christopher Hanson

On January 22, 2016, CDRH announced in the Federal Register the publication of the draft guidance,“Postmarket Management of Cybersecurity in Medical Devices.”  The release of the draft guidance coincided with the conclusion of a two-day public workshop hosted by FDA entitled, “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity.”  We previously discussed the Agency’s announcement of the workshop in a separate post.

This is the second significant cybersecurity guidance document CDRH has released, having finalized its “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” guidance in October 2014.  Having now issued both premarket and postmarket guidance documents, the Agency recognizes that an “effective cybersecurity risk management program should incorporate both premarket and postmarket lifecycle phases and address cybersecurity from medical device conception to obsolescence.”
Continue Reading After Two-Day Workshop, CDRH Releases Postmarket Cybersecurity Draft Guidance

Cybersecurity vulnerability is becoming an increasing concern as medical devices are becoming more connected to the Internet, hospital networks, and other medical devices. As we previously reported, FDA has increasingly focused on promoting cybersecurity, recognizing that compromised medical devices can pose a risk to patient health and safety and to the confidentiality of personal medical information. In addition, the National Institute of Standards and Technology (NIST) has recently provided a draft practice guide for securing health records maintained on mobile devices.
Continue Reading Cybersecurity Risks with Connected Devices

On October 2, 2014, the Food and Drug Administration (FDA) released a final guidance document titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”.  The FDA said that the “need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network- connected devices, and the frequent electronic exchange of medical device-related health information.”  The FDA defines cybersecurity as “the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.”  The cybersecurity of medical devices gained media attention last year when former Vice President Dick Cheney revealed that his doctor had the wireless function of Cheney’s implanted defibrillator replaced due to fears that a terrorist could hack the device and assassinate the Vice President. 

The guidance document identifies cybersecurity issues that manufacturers should consider when designing and developing their medical devices and information they should include when preparing their FDA medical device premarket submissions.Continue Reading FDA Releases Final Guidance on Cybersecurity in Medical Devices, Public Workshop to Follow on October 21-22, 2014

FDA has previously included claims made on Facebook or other social media platforms along with broader allegations of misbranding using a variety of sources in its enforcement letters . . . [b]y contrast, the present untitled letter focuses solely on a single statement on a Facebook page, and does not take issue with any statements outside the Facebook page.
Continue Reading FDA Issues Untitled Letter Focused On Promotional Claims On Facebook

On January 13, 2014, FDA issued a draft guidance document entitled “Fulfilling Regulatory Requirements for Postmarketing Submissions of Interactive Promotional Media for Prescription Human and Animal Drugs and Biologics.” This draft guidance addresses the procedural topic of submitting Forms FDA 2253 and 2301 when firms use social media such as blogs, microblogs, social