Postmarket Management of Cybersecurity in Medical Devices; Draft Guidance for Industry and Food and Drug Administration Staff; Availability, 3803-3805 [2016-01172]
Download as PDF
<![CDATA[
mstockstill on DSK4VPTVN1PROD with NOTICES
Federal Register / Vol. 81, No. 14 / Friday, January 22, 2016 / Notices
In December 2000, the President
delegated responsibility for funding,
staffing, and operating the Advisory
Board to HHS, which subsequently
delegated this authority to CDC. NIOSH
implements this responsibility for CDC.
The charter was issued on August 3,
2001, renewed at appropriate intervals,
and will expire on August 3, 2017.
Purpose: The Advisory Board is
charged with (a) providing advice to the
Secretary, HHS, on the development of
guidelines under Executive Order
13179; (b) providing advice to the
Secretary, HHS, on the scientific
validity and quality of dose
reconstruction efforts performed for this
program; and (c) upon request by the
Secretary, HHS, advise the Secretary on
whether there is a class of employees at
any Department of Energy facility who
were exposed to radiation but for whom
it is not feasible to estimate their
radiation dose, and on whether there is
reasonable likelihood that such
radiation doses may have endangered
the health of members of this class. The
Subcommittee for Dose Reconstruction
Reviews was established to aid the
Advisory Board in carrying out its duty
to advise the Secretary, HHS, on dose
reconstruction.
Matters for Discussion: The agenda for
the Subcommittee meeting includes the
following dose reconstruction program
quality management and assurance
activities: Current findings from NIOSH
dose reconstruction blind reviews; dose
reconstruction cases under review from
Sets 14–18, including the Oak Ridge
sites (Y–12, K–25, Oak Ridge National
Laboratory, and Savannah River Site;
preparation of the Advisory Board’s
next report to the Secretary, HHS,
summarizing the results of completed
dose reconstruction reviews.
The agenda is subject to change as
priorities dictate.
Contact Person for More Information:
Theodore Katz, Designated Federal
Officer, NIOSH, CDC, 1600 Clifton Road
NE., Mailstop E–20, Atlanta, Georgia
30333, Telephone (513) 533–6800, Toll
Free 1(800) CDC–INFO, Email ocas@
cdc.gov.
The Director, Management Analysis
and Services Office, has been delegated
the authority to sign Federal Register
notices pertaining to announcements of
meetings and other committee
management activities, for both the
Centers for Disease Control and
VerDate Sep<11>2014
16:59 Jan 21, 2016
Jkt 238001
Prevention and the Agency for Toxic
Substances and Disease Registry.
Elaine L. Baker,
Director, Management Analysis and Services
Office, Centers for Disease Control and
Prevention.
[FR Doc. 2016–01223 Filed 1–21–16; 8:45 am]
BILLING CODE 4163–19–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Food and Drug Administration
[Docket No. FDA–2015–D–5105]
Postmarket Management of
Cybersecurity in Medical Devices;
Draft Guidance for Industry and Food
and Drug Administration Staff;
Availability
AGENCY:
Food and Drug Administration,
HHS.
ACTION:
Notice of availability.
The Food and Drug
Administration (FDA) is announcing the
availability of a draft guidance entitled
‘‘Postmarket Management of
Cybersecurity in Medical Devices.’’ This
draft guidance informs industry and
FDA staff of the Agency’s
recommendations for identifying,
addressing, and monitoring
cybersecurity vulnerabilities and
exploits for postmarket management of
medical devices. This draft guidance is
neither final nor is it in effect at this
time.
SUMMARY:
Although you can comment on
any guidance at any time (see 21 CFR
10.115(g)(5)), to ensure that the Agency
considers your comment of this draft
guidance before it begins work on the
final version of the guidance, submit
either electronic or written comments
on the draft guidance by April 21, 2016.
ADDRESSES: You may submit comments
as follows:
DATES:
Electronic Submissions
Submit electronic comments in the
following way:
• Federal eRulemaking Portal: https://
www.regulations.gov. Follow the
instructions for submitting comments.
Comments submitted electronically,
including attachments, to https://
www.regulations.gov will be posted to
the docket unchanged. Because your
comment will be made public, you are
solely responsible for ensuring that your
comment does not include any
confidential information that you or a
third party may not wish to be posted,
such as medical information, your or
anyone else’s Social Security number, or
PO 00000
Frm 00028
Fmt 4703
Sfmt 4703
3803
confidential business information, such
as a manufacturing process. Please note
that if you include your name, contact
information, or other information that
identifies you in the body of your
comments, that information will be
posted on https://www.regulations.gov.
• If you want to submit a comment
with confidential information that you
do not wish to be made available to the
public, submit the comment as a
written/paper submission and in the
manner detailed (see ‘‘Written/Paper
Submissions’’ and ‘‘Instructions’’).
Written/Paper Submissions
Submit written/paper submissions as
follows:
• Mail/Hand delivery/Courier (for
written/paper submissions): Division of
Dockets Management (HFA–305), Food
and Drug Administration, 5630 Fishers
Lane, Rm. 1061, Rockville, MD 20852.
• For written/paper comments
submitted to the Division of Dockets
Management, FDA will post your
comment, as well as any attachments,
except for information submitted,
marked and identified, as confidential,
if submitted as detailed in
‘‘Instructions.’’
Instructions: All submissions received
must include the Docket No. FDA–
2015–D–5105 for ‘‘Postmarket
Management of Cybersecurity in
Medical Devices.’’ Received comments
will be placed in the docket and, except
for those submitted as ‘‘Confidential
Submissions,’’ publicly viewable at
https://www.regulations.gov or at the
Division of Dockets Management
between 9 a.m. and 4 p.m., Monday
through Friday.
• Confidential Submissions—To
submit a comment with confidential
information that you do not wish to be
made publicly available, submit your
comments only as a written/paper
submission. You should submit two
copies total. One copy will include the
information you claim to be confidential
with a heading or cover note that states
‘‘THIS DOCUMENT CONTAINS
CONFIDENTIAL INFORMATION.’’ The
Agency will review this copy, including
the claimed confidential information, in
its consideration of comments. The
second copy, which will have the
claimed confidential information
redacted/blacked out, will be available
for public viewing and posted on https://
www.regulations.gov. Submit both
copies to the Division of Dockets
Management. If you do not wish your
name and contact information to be
made publicly available, you can
provide this information on the cover
sheet and not in the body of your
comments and you must identify this
E:\FR\FM\22JAN1.SGM
22JAN1
3804
Federal Register / Vol. 81, No. 14 / Friday, January 22, 2016 / Notices
information as ‘‘confidential.’’ Any
information marked as ‘‘confidential’’
will not be disclosed except in
accordance with 21 CFR 10.20 and other
applicable disclosure law. For more
information about FDA’s posting of
comments to public dockets, see 80 FR
56469, September 18, 2015, or access
the information at: https://www.fda.gov/
regulatoryinformation/dockets/
default.htm.
Docket: For access to the docket to
read background documents or the
electronic and written/paper comments
received, go to https://
www.regulations.gov and insert the
docket number, found in brackets in the
heading of this document, into the
‘‘Search’’ box and follow the prompts
and/or go to the Division of Dockets
Management, 5630 Fishers Lane, Rm.
1061, Rockville, MD 20852.
Submit written requests for single
copies of the guidance to the Office of
the Center Director, Guidance and
Policy Development, Center for Devices
and Radiological Health, Food and Drug
Administration, 10903 New Hampshire
Ave., Bldg. 66, Rm. 5431, Silver Spring,
MD 20993–0002 or the Office of
Communication, Outreach, and
Development, Center for Biologics
Evaluation and Research, Food and
Drug Administration, 10903 New
Hampshire Ave., Bldg. 71, Rm. 3128,
Silver Spring, MD 20993–0002. Send
one self-addressed adhesive label to
assist that office in processing your
requests. See the SUPPLEMENTARY
INFORMATION section for electronic
access to the draft guidance document.
FOR FURTHER INFORMATION CONTACT:
Suzanne Schwartz, Center for Devices
and Radiological Health, Food and Drug
Administration, 10903 New Hampshire
Ave., Bldg. 66, Rm. 5418, Silver Spring,
MD 20993–0002, 301–796–6937; or
Stephen Ripley, Center for Biologics
Evaluation and Research, Food and
Drug Administration, 10903 New
Hampshire Ave., Bldg. 71, Rm. 7301,
Silver Spring, MD 20993–0002, 240–
402–7911.
SUPPLEMENTARY INFORMATION:
mstockstill on DSK4VPTVN1PROD with NOTICES
I. Background
This draft guidance proposes to
inform industry and FDA staff of the
Agency’s recommendations as it relates
to monitoring, identifying, and
addressing cybersecurity vulnerabilities
and exploits as part of manufacturers’
postmarket management of medical
devices. A growing number of medical
devices are designed to be networked to
facilitate patient care. Networked
medical devices, like other networked
computer systems, incorporate software
VerDate Sep<11>2014
16:59 Jan 21, 2016
Jkt 238001
that may be vulnerable to cybersecurity
threats. The exploitation of
vulnerabilities may represent a risk to
the safety and effectiveness of medical
devices and typically requires continual
maintenance throughout the product life
cycle to assure an adequate degree of
protection against such exploits.
Proactively addressing cybersecurity
risks in medical devices reduces the
patient safety impact and the overall
risk to public health.
For the majority of cases, actions
taken by manufacturers to address
cybersecurity vulnerabilities and
exploits are considered ‘‘cybersecurity
routine updates and patches,’’ for which
the FDA does not require advance
notification or reporting under 21 CFR
part 806. For a small subset of
cybersecurity vulnerabilities and
exploits that may compromise the
essential clinical performance of a
device and present a reasonable
probability of serious adverse health
consequences or death, the FDA would
require medical device manufacturers to
notify the Agency.
In February 2013, the President issued
Executive Order 13636 (E.O. 13636),
‘‘Improving Critical Infrastructure
Cybersecurity,’’ which recognized that
resilient infrastructure is essential to
preserving national security, economic
stability, and public health and safety in
the United States. Furthermore,
Presidential Policy Directive-21 (PPD–
21) tasks Federal Government entities to
strengthen the security and resilience of
critical infrastructure against physical
and cyber threats such that these efforts
reduce vulnerabilities, minimize
consequences, and identify and disrupt
threats.
In addition, Executive Order 13691,
released in February 2015, encourages
the development of Information Sharing
Analysis Organizations (ISAOs) to serve
as focal points for cybersecurity
information sharing and collaboration
within the private sector and between
the private sector and the government.
FDA believes that, in alignment with
E.O. 13636 and PPD–21, stakeholders
should collaborate to leverage available
resources and tools to establish a
common framework among the
information technology community,
healthcare delivery organizations
(HDOs), clinical user community, and
medical device community. These
collaborations can lead to the consistent
assessment and mitigation of
cybersecurity threats, and their impact
on medical device safety and
effectiveness.
FDA plans to hold a public workshop
entitled ‘‘Moving Forward:
Collaborative Approaches to Medical
PO 00000
Frm 00029
Fmt 4703
Sfmt 4703
Device Cybersecurity’’ on January 20–
21, 2016 (80 FR 76022, December 7,
2015). FDA, in collaboration with the
National Health Information Sharing
Analysis Center, the Department of
Health and Human Services, and the
Department of Homeland Security, seek
to bring together diverse stakeholders to
discuss complex challenges in medical
device cybersecurity that impact the
medical device ecosystem. The purpose
of this workshop is to highlight past
collaborative efforts; increase awareness
of existing maturity models (i.e.,
frameworks leveraged for benchmarking
an organization’s processes) which are
used to evaluate cybersecurity status,
standards, and tools in development;
and to engage the multi-stakeholder
community in focused discussions on
unresolved gaps and challenges that
have hampered progress in advancing
medical device cybersecurity.
In the last few years, Healthcare and
Public Health Critical Infrastructure
Sector stakeholders have been engaged
in many collaborative activities that
seek to strengthen medical device
cybersecurity and, therefore, enhance
patient safety. FDA has contributed to
these efforts through guidance,
multistakeholder engagement, outreach,
and by hosting a 2014 public workshop
on cybersecurity entitled ‘‘Collaborative
Approaches for Medical Device and
Healthcare Cybersecurity’’ (79 FR
56814, September 23, 2014). The 2016
public workshop will build upon
previous work by featuring some of the
collaborative efforts that address
medical device cybersecurity through
education and training, information
sharing, standards, risk assessment, and
tools development.
II. Significance of Guidance
This draft guidance is being issued
consistent with FDA’s good guidance
practices regulation (21 CFR 10.115).
The draft guidance, when finalized, will
represent the Agency’s current thinking
on postmarket management of
cybersecurity in medical devices. It
neither creates nor confers any rights for
or on any person and is not binding on
FDA or the public. An alternative
approach may be used if such approach
satisfies the requirements of the
applicable statutes and regulations.
III. Electronic Access
Persons interested in obtaining a copy
of the draft guidance may do so by
downloading an electronic copy from
the Internet. A search capability for all
Center for Devices and Radiological
Health guidance documents is available
at https://www.fda.gov/MedicalDevices/
DeviceRegulationandGuidance/
E:\FR\FM\22JAN1.SGM
22JAN1
Federal Register / Vol. 81, No. 14 / Friday, January 22, 2016 / Notices
GuidanceDocuments/default.htm.
Guidance documents are also available
at https://www.fda.gov/BiologicsBlood
Vaccines/GuidanceCompliance
RegulatoryInformation/Guidances/
default.htm or https://
www.regulations.gov. Persons unable to
download an electronic copy of
‘‘Postmarket Management of
Cybersecurity in Medical Devices’’ may
send an email request to CDRHGuidance@fda.hhs.gov to receive an
electronic copy of the document. Please
use the document number 1400044 to
identify the guidance you are
requesting.
IV. Paperwork Reduction Act of 1995
This draft guidance refers to
previously approved collections of
information found in FDA regulations.
These collections of information are
subject to review by the Office of
Management and Budget (OMB) under
the Paperwork Reduction Act of 1995
(44 U.S.C. 3501–3520). The collections
of information in 21 CFR part 803
(medical device reporting) have been
approved under OMB control number
0910–0437; the collections of
information in 21 CFR part 806 (reports
of corrections and removals) have been
approved under OMB control number
0910–0359; the collections of
information in 21 CFR part 810 (medical
device recall authority) have been
approved under OMB control number
0910–0432; the collections of
information in 21 CFR part 814
(premarket approval) have been
approved under OMB control number
0910–0231; the collections of
information in 21 CFR part 820 (quality
system regulations) have been approved
under OMB control number 0910–0073;
and the collections of information in 21
CFR part 822 (postmarket surveillance
of medical devices) have been approved
under OMB control number 0910–0449.
mstockstill on DSK4VPTVN1PROD with NOTICES
V. Other Issues for Consideration
The Agency invites comments on the
‘‘Postmarket Management of
Cybersecurity in Medical Devices’’ draft
guidance, in general, and on the
following questions, in particular:
• What factors contribute to a
manufacturer’s decision whether or not
to participate in an ISAO?
• In the draft guidance, the FDA is
proposing its intention to not enforce
certain regulatory requirements for
manufacturer’s that are ‘‘participating
members ’’ of an ISAO. Should FDA
define what it means to be a
‘‘participating member’’ of an ISAO and
if so, how should such participation be
verified?
VerDate Sep<11>2014
16:59 Jan 21, 2016
Jkt 238001
• What are the characteristics
(participation, expertise, policies, and
practices) of an ISAO that would make
it qualified to participate in the sharing
and analysis of medical device
cybersecurity vulnerabilities? What are
the benefits and disadvantages of FDA
‘‘recognizing’’ specific ISAOs as
possessing specialized expertise
relevant to sharing and analysis of
medical device vulnerabilities and what
should such recognition entail?
• When cybersecurity vulnerability
information is not reported to FDA,
what information should be reported to
the ISAO, and when?
• How should the FDA interact with
ISAOs, manufacturers, HDOs, security
researchers and other stakeholders to
maximize the sharing of information
concerning cybersecurity threats while
maintaining confidentiality and
protecting commercial confidential
information?
Dated: January 15, 2016.
Leslie Kux,
Associate Commissioner for Policy.
[FR Doc. 2016–01172 Filed 1–21–16; 8:45 am]
BILLING CODE 4164–01–P
Food and Drug Administration
[Docket No. FDA–2016–N–0001]
Arthritis Advisory Committee; Notice
of Meeting; Correction
Food and Drug Administration,
HHS.
ACTION:
Dated: January 19, 2016.
Leslie Kux,
Associate Commissioner for Policy.
[FR Doc. 2016–01248 Filed 1–21–16; 8:45 am]
BILLING CODE 4164–01–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
[Docket No. FDA–2016–N–0001]
Advisory Committee; Pharmaceutical
Science and Clinical Pharmacology
Advisory Committee (Formerly Known
as the Advisory Committee for
Pharmaceutical Science and Clinical
Pharmacology), Renewal
AGENCY:
Fmt 4703
Sfmt 4703
Notice.
The Food and Drug
Administration (FDA) is announcing the
renewal of the Pharmaceutical Science
and Clinical Pharmacology Advisory
Committee (formerly known as the
Advisory Committee for Pharmaceutical
Science and Clinical Pharmacology) by
the Commissioner of Food and Drugs
(the Commissioner). The Commissioner
has determined that it is in the public
interest to renew the Pharmaceutical
Science and Clinical Pharmacology
Advisory Committee for an additional 2
years beyond the charter expiration
date. The new charter will be in effect
until the January 22, 2018.
DATES: Authority for the Pharmaceutical
Science and Clinical Pharmacology
Advisory Committee will expire on
January 22, 2018, unless the
Commissioner formally determines that
renewal is in the public interest.
FOR FURTHER INFORMATION CONTACT:
Jennifer Shepherd, Center for Drug
Evaluation and Research, Food and
SUMMARY:
The Food and Drug
Administration (FDA) is correcting a
notice that appeared in the Federal
Register on January 19, 2016 (81 FR
2873). The document announced an
‘‘Arthritis Advisory Committee’’
meeting and contained an incorrect date
for individuals requesting oral
presentations, and for FDA notifying
individuals regarding their request to
speak at the meeting. This document
corrects those errors.
FOR FURTHER INFORMATION CONTACT:
Stephanie L. Begansky, Center for Drug
Evaluation and Research, Food and
Drug Administration, 10903 New
Hampshire Ave., Bldg. 31, Rm. 2417,
Silver Spring, MD 20993–0002, 301–
796–9001, FAX: 301–847–8533.
SUPPLEMENTARY INFORMATION: In FR Doc.
2016–00823, appearing on page 2873 in
the Federal Register of Tuesday,
January 19, 2016, the following
corrections are made:
Frm 00030
Food and Drug Administration,
HHS.
ACTION:
Notice; correction.
SUMMARY:
PO 00000
1. On page 2873, in the third column,
in the ‘‘Procedure’’ paragraph, the
fourth sentence is corrected to read
‘‘Those individuals interested in making
formal oral presentations should notify
the contact person and submit a brief
statement of the general nature of the
evidence or arguments they wish to
present, the names and addresses of
proposed participants, and an
indication of the approximate time
requested to make their presentation on
or before January 28, 2016.’’
2. On page 2873, in the third column,
in the ‘‘Procedure’’ paragraph, the last
sentence is corrected to read ‘‘The
contact person will notify interested
persons regarding their request to speak
by January 29, 2016.’’
Food and Drug Administration
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
AGENCY:
3805
E:\FR\FM\22JAN1.SGM
22JAN1
]]>Agencies
[Federal Register Volume 81, Number 14 (Friday, January 22, 2016)]
[Notices]
[Pages 3803-3805]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-01172]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Food and Drug Administration
[Docket No. FDA-2015-D-5105]
Postmarket Management of Cybersecurity in Medical Devices; Draft
Guidance for Industry and Food and Drug Administration Staff;
Availability
AGENCY: Food and Drug Administration, HHS.
ACTION: Notice of availability.
-----------------------------------------------------------------------
SUMMARY: The Food and Drug Administration (FDA) is announcing the
availability of a draft guidance entitled ``Postmarket Management of
Cybersecurity in Medical Devices.'' This draft guidance informs
industry and FDA staff of the Agency's recommendations for identifying,
addressing, and monitoring cybersecurity vulnerabilities and exploits
for postmarket management of medical devices. This draft guidance is
neither final nor is it in effect at this time.
DATES: Although you can comment on any guidance at any time (see 21 CFR
10.115(g)(5)), to ensure that the Agency considers your comment of this
draft guidance before it begins work on the final version of the
guidance, submit either electronic or written comments on the draft
guidance by April 21, 2016.
ADDRESSES: You may submit comments as follows:
Electronic Submissions
Submit electronic comments in the following way:
Federal eRulemaking Portal: https://www.regulations.gov.
Follow the instructions for submitting comments. Comments submitted
electronically, including attachments, to https://www.regulations.gov
will be posted to the docket unchanged. Because your comment will be
made public, you are solely responsible for ensuring that your comment
does not include any confidential information that you or a third party
may not wish to be posted, such as medical information, your or anyone
else's Social Security number, or confidential business information,
such as a manufacturing process. Please note that if you include your
name, contact information, or other information that identifies you in
the body of your comments, that information will be posted on https://www.regulations.gov.
If you want to submit a comment with confidential
information that you do not wish to be made available to the public,
submit the comment as a written/paper submission and in the manner
detailed (see ``Written/Paper Submissions'' and ``Instructions'').
Written/Paper Submissions
Submit written/paper submissions as follows:
Mail/Hand delivery/Courier (for written/paper
submissions): Division of Dockets Management (HFA-305), Food and Drug
Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.
For written/paper comments submitted to the Division of
Dockets Management, FDA will post your comment, as well as any
attachments, except for information submitted, marked and identified,
as confidential, if submitted as detailed in ``Instructions.''
Instructions: All submissions received must include the Docket No.
FDA-2015-D-5105 for ``Postmarket Management of Cybersecurity in Medical
Devices.'' Received comments will be placed in the docket and, except
for those submitted as ``Confidential Submissions,'' publicly viewable
at https://www.regulations.gov or at the Division of Dockets Management
between 9 a.m. and 4 p.m., Monday through Friday.
Confidential Submissions--To submit a comment with
confidential information that you do not wish to be made publicly
available, submit your comments only as a written/paper submission. You
should submit two copies total. One copy will include the information
you claim to be confidential with a heading or cover note that states
``THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION.'' The Agency will
review this copy, including the claimed confidential information, in
its consideration of comments. The second copy, which will have the
claimed confidential information redacted/blacked out, will be
available for public viewing and posted on https://www.regulations.gov.
Submit both copies to the Division of Dockets Management. If you do not
wish your name and contact information to be made publicly available,
you can provide this information on the cover sheet and not in the body
of your comments and you must identify this
[[Page 3804]]
information as ``confidential.'' Any information marked as
``confidential'' will not be disclosed except in accordance with 21 CFR
10.20 and other applicable disclosure law. For more information about
FDA's posting of comments to public dockets, see 80 FR 56469, September
18, 2015, or access the information at: https://www.fda.gov/regulatoryinformation/dockets/default.htm.
Docket: For access to the docket to read background documents or
the electronic and written/paper comments received, go to https://www.regulations.gov and insert the docket number, found in brackets in
the heading of this document, into the ``Search'' box and follow the
prompts and/or go to the Division of Dockets Management, 5630 Fishers
Lane, Rm. 1061, Rockville, MD 20852.
Submit written requests for single copies of the guidance to the
Office of the Center Director, Guidance and Policy Development, Center
for Devices and Radiological Health, Food and Drug Administration,
10903 New Hampshire Ave., Bldg. 66, Rm. 5431, Silver Spring, MD 20993-
0002 or the Office of Communication, Outreach, and Development, Center
for Biologics Evaluation and Research, Food and Drug Administration,
10903 New Hampshire Ave., Bldg. 71, Rm. 3128, Silver Spring, MD 20993-
0002. Send one self-addressed adhesive label to assist that office in
processing your requests. See the SUPPLEMENTARY INFORMATION section for
electronic access to the draft guidance document.
FOR FURTHER INFORMATION CONTACT: Suzanne Schwartz, Center for Devices
and Radiological Health, Food and Drug Administration, 10903 New
Hampshire Ave., Bldg. 66, Rm. 5418, Silver Spring, MD 20993-0002, 301-
796-6937; or Stephen Ripley, Center for Biologics Evaluation and
Research, Food and Drug Administration, 10903 New Hampshire Ave., Bldg.
71, Rm. 7301, Silver Spring, MD 20993-0002, 240-402-7911.
SUPPLEMENTARY INFORMATION:
I. Background
This draft guidance proposes to inform industry and FDA staff of
the Agency's recommendations as it relates to monitoring, identifying,
and addressing cybersecurity vulnerabilities and exploits as part of
manufacturers' postmarket management of medical devices. A growing
number of medical devices are designed to be networked to facilitate
patient care. Networked medical devices, like other networked computer
systems, incorporate software that may be vulnerable to cybersecurity
threats. The exploitation of vulnerabilities may represent a risk to
the safety and effectiveness of medical devices and typically requires
continual maintenance throughout the product life cycle to assure an
adequate degree of protection against such exploits. Proactively
addressing cybersecurity risks in medical devices reduces the patient
safety impact and the overall risk to public health.
For the majority of cases, actions taken by manufacturers to
address cybersecurity vulnerabilities and exploits are considered
``cybersecurity routine updates and patches,'' for which the FDA does
not require advance notification or reporting under 21 CFR part 806.
For a small subset of cybersecurity vulnerabilities and exploits that
may compromise the essential clinical performance of a device and
present a reasonable probability of serious adverse health consequences
or death, the FDA would require medical device manufacturers to notify
the Agency.
In February 2013, the President issued Executive Order 13636 (E.O.
13636), ``Improving Critical Infrastructure Cybersecurity,'' which
recognized that resilient infrastructure is essential to preserving
national security, economic stability, and public health and safety in
the United States. Furthermore, Presidential Policy Directive-21 (PPD-
21) tasks Federal Government entities to strengthen the security and
resilience of critical infrastructure against physical and cyber
threats such that these efforts reduce vulnerabilities, minimize
consequences, and identify and disrupt threats.
In addition, Executive Order 13691, released in February 2015,
encourages the development of Information Sharing Analysis
Organizations (ISAOs) to serve as focal points for cybersecurity
information sharing and collaboration within the private sector and
between the private sector and the government.
FDA believes that, in alignment with E.O. 13636 and PPD-21,
stakeholders should collaborate to leverage available resources and
tools to establish a common framework among the information technology
community, healthcare delivery organizations (HDOs), clinical user
community, and medical device community. These collaborations can lead
to the consistent assessment and mitigation of cybersecurity threats,
and their impact on medical device safety and effectiveness.
FDA plans to hold a public workshop entitled ``Moving Forward:
Collaborative Approaches to Medical Device Cybersecurity'' on January
20-21, 2016 (80 FR 76022, December 7, 2015). FDA, in collaboration with
the National Health Information Sharing Analysis Center, the Department
of Health and Human Services, and the Department of Homeland Security,
seek to bring together diverse stakeholders to discuss complex
challenges in medical device cybersecurity that impact the medical
device ecosystem. The purpose of this workshop is to highlight past
collaborative efforts; increase awareness of existing maturity models
(i.e., frameworks leveraged for benchmarking an organization's
processes) which are used to evaluate cybersecurity status, standards,
and tools in development; and to engage the multi-stakeholder community
in focused discussions on unresolved gaps and challenges that have
hampered progress in advancing medical device cybersecurity.
In the last few years, Healthcare and Public Health Critical
Infrastructure Sector stakeholders have been engaged in many
collaborative activities that seek to strengthen medical device
cybersecurity and, therefore, enhance patient safety. FDA has
contributed to these efforts through guidance, multistakeholder
engagement, outreach, and by hosting a 2014 public workshop on
cybersecurity entitled ``Collaborative Approaches for Medical Device
and Healthcare Cybersecurity'' (79 FR 56814, September 23, 2014). The
2016 public workshop will build upon previous work by featuring some of
the collaborative efforts that address medical device cybersecurity
through education and training, information sharing, standards, risk
assessment, and tools development.
II. Significance of Guidance
This draft guidance is being issued consistent with FDA's good
guidance practices regulation (21 CFR 10.115). The draft guidance, when
finalized, will represent the Agency's current thinking on postmarket
management of cybersecurity in medical devices. It neither creates nor
confers any rights for or on any person and is not binding on FDA or
the public. An alternative approach may be used if such approach
satisfies the requirements of the applicable statutes and regulations.
III. Electronic Access
Persons interested in obtaining a copy of the draft guidance may do
so by downloading an electronic copy from the Internet. A search
capability for all Center for Devices and Radiological Health guidance
documents is available at https://www.fda.gov/MedicalDevices/
DeviceRegulationandGuidance/
[[Page 3805]]
GuidanceDocuments/default.htm. Guidance documents are also available at
https://www.fda.gov/BiologicsBloodVaccines/GuidanceComplianceRegulatoryInformation/Guidances/default.htm or https://www.regulations.gov. Persons unable to download an electronic copy of
``Postmarket Management of Cybersecurity in Medical Devices'' may send
an email request to CDRH-Guidance@fda.hhs.gov to receive an electronic
copy of the document. Please use the document number 1400044 to
identify the guidance you are requesting.
IV. Paperwork Reduction Act of 1995
This draft guidance refers to previously approved collections of
information found in FDA regulations. These collections of information
are subject to review by the Office of Management and Budget (OMB)
under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501-3520). The
collections of information in 21 CFR part 803 (medical device
reporting) have been approved under OMB control number 0910-0437; the
collections of information in 21 CFR part 806 (reports of corrections
and removals) have been approved under OMB control number 0910-0359;
the collections of information in 21 CFR part 810 (medical device
recall authority) have been approved under OMB control number 0910-
0432; the collections of information in 21 CFR part 814 (premarket
approval) have been approved under OMB control number 0910-0231; the
collections of information in 21 CFR part 820 (quality system
regulations) have been approved under OMB control number 0910-0073; and
the collections of information in 21 CFR part 822 (postmarket
surveillance of medical devices) have been approved under OMB control
number 0910-0449.
V. Other Issues for Consideration
The Agency invites comments on the ``Postmarket Management of
Cybersecurity in Medical Devices'' draft guidance, in general, and on
the following questions, in particular:
What factors contribute to a manufacturer's decision
whether or not to participate in an ISAO?
In the draft guidance, the FDA is proposing its intention
to not enforce certain regulatory requirements for manufacturer's that
are ``participating members '' of an ISAO. Should FDA define what it
means to be a ``participating member'' of an ISAO and if so, how should
such participation be verified?
What are the characteristics (participation, expertise,
policies, and practices) of an ISAO that would make it qualified to
participate in the sharing and analysis of medical device cybersecurity
vulnerabilities? What are the benefits and disadvantages of FDA
``recognizing'' specific ISAOs as possessing specialized expertise
relevant to sharing and analysis of medical device vulnerabilities and
what should such recognition entail?
When cybersecurity vulnerability information is not
reported to FDA, what information should be reported to the ISAO, and
when?
How should the FDA interact with ISAOs, manufacturers,
HDOs, security researchers and other stakeholders to maximize the
sharing of information concerning cybersecurity threats while
maintaining confidentiality and protecting commercial confidential
information?
Dated: January 15, 2016.
Leslie Kux,
Associate Commissioner for Policy.
[FR Doc. 2016-01172 Filed 1-21-16; 8:45 am]
BILLING CODE 4164-01-P
