Privacy & Cybersecurity Law Blog

On April 8, 2022, the Food and Drug Administration (“FDA”) issued Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, a draft guidance document for industry and FDA staff. Industry stakeholders will have until July 7, 2022 to comment on the proposed guidance.

The FDA developed the draft guidance in response to increasing cybersecurity threats to the healthcare sector and growing use of wireless, Internet- and network-connected medical devices. The draft guidance provides recommendations regarding cybersecurity device design, labeling and documentation with the goal of facilitating an efficient premarket review process and ensuring that marketed medical devices are “sufficiently resilient to cybersecurity threats.”

The FDA previously issued guidance addressing premarket expectations in 2014 and proposed to update this guidance in 2018. The 2022 draft guidance, however, replaces the 2018 version and incorporates input from stakeholders at various public meetings, comments received on the 2018 version and recommendations from the Health Care Industry Cybersecurity Task Force Report. According to the FDA, the guidance “is intended to further emphasize the importance of ensuring that devices are designed securely, are designed to be capable of mitigating emerging cybersecurity risks throughout the Total Product Life Cycle, and to clearly outline [the] FDA's recommendations for premarket submission content to address cybersecurity concerns.”