Postmarket Management of Cybersecurity in Medical Devices; Draft Guidance for Industry and Food and Drug Administration Staff; Availability, 3803-3805 [2016-01172]

Download as PDF mstockstill on DSK4VPTVN1PROD with NOTICES Federal Register / Vol. 81, No. 14 / Friday, January 22, 2016 / Notices In December 2000, the President delegated responsibility for funding, staffing, and operating the Advisory Board to HHS, which subsequently delegated this authority to CDC. NIOSH implements this responsibility for CDC. The charter was issued on August 3, 2001, renewed at appropriate intervals, and will expire on August 3, 2017. Purpose: The Advisory Board is charged with (a) providing advice to the Secretary, HHS, on the development of guidelines under Executive Order 13179; (b) providing advice to the Secretary, HHS, on the scientific validity and quality of dose reconstruction efforts performed for this program; and (c) upon request by the Secretary, HHS, advise the Secretary on whether there is a class of employees at any Department of Energy facility who were exposed to radiation but for whom it is not feasible to estimate their radiation dose, and on whether there is reasonable likelihood that such radiation doses may have endangered the health of members of this class. The Subcommittee for Dose Reconstruction Reviews was established to aid the Advisory Board in carrying out its duty to advise the Secretary, HHS, on dose reconstruction. Matters for Discussion: The agenda for the Subcommittee meeting includes the following dose reconstruction program quality management and assurance activities: Current findings from NIOSH dose reconstruction blind reviews; dose reconstruction cases under review from Sets 14–18, including the Oak Ridge sites (Y–12, K–25, Oak Ridge National Laboratory, and Savannah River Site; preparation of the Advisory Board’s next report to the Secretary, HHS, summarizing the results of completed dose reconstruction reviews. The agenda is subject to change as priorities dictate. Contact Person for More Information: Theodore Katz, Designated Federal Officer, NIOSH, CDC, 1600 Clifton Road NE., Mailstop E–20, Atlanta, Georgia 30333, Telephone (513) 533–6800, Toll Free 1(800) CDC–INFO, Email ocas@ cdc.gov. The Director, Management Analysis and Services Office, has been delegated the authority to sign Federal Register notices pertaining to announcements of meetings and other committee management activities, for both the Centers for Disease Control and VerDate Sep<11>2014 16:59 Jan 21, 2016 Jkt 238001 Prevention and the Agency for Toxic Substances and Disease Registry. Elaine L. Baker, Director, Management Analysis and Services Office, Centers for Disease Control and Prevention. [FR Doc. 2016–01223 Filed 1–21–16; 8:45 am] BILLING CODE 4163–19–P DEPARTMENT OF HEALTH AND HUMAN SERVICES Food and Drug Administration [Docket No. FDA–2015–D–5105] Postmarket Management of Cybersecurity in Medical Devices; Draft Guidance for Industry and Food and Drug Administration Staff; Availability AGENCY: Food and Drug Administration, HHS. ACTION: Notice of availability. The Food and Drug Administration (FDA) is announcing the availability of a draft guidance entitled ‘‘Postmarket Management of Cybersecurity in Medical Devices.’’ This draft guidance informs industry and FDA staff of the Agency’s recommendations for identifying, addressing, and monitoring cybersecurity vulnerabilities and exploits for postmarket management of medical devices. This draft guidance is neither final nor is it in effect at this time. SUMMARY: Although you can comment on any guidance at any time (see 21 CFR 10.115(g)(5)), to ensure that the Agency considers your comment of this draft guidance before it begins work on the final version of the guidance, submit either electronic or written comments on the draft guidance by April 21, 2016. ADDRESSES: You may submit comments as follows: DATES: Electronic Submissions Submit electronic comments in the following way: • Federal eRulemaking Portal: http:// www.regulations.gov. Follow the instructions for submitting comments. Comments submitted electronically, including attachments, to http:// www.regulations.gov will be posted to the docket unchanged. Because your comment will be made public, you are solely responsible for ensuring that your comment does not include any confidential information that you or a third party may not wish to be posted, such as medical information, your or anyone else’s Social Security number, or PO 00000 Frm 00028 Fmt 4703 Sfmt 4703 3803 confidential business information, such as a manufacturing process. Please note that if you include your name, contact information, or other information that identifies you in the body of your comments, that information will be posted on http://www.regulations.gov. • If you want to submit a comment with confidential information that you do not wish to be made available to the public, submit the comment as a written/paper submission and in the manner detailed (see ‘‘Written/Paper Submissions’’ and ‘‘Instructions’’). Written/Paper Submissions Submit written/paper submissions as follows: • Mail/Hand delivery/Courier (for written/paper submissions): Division of Dockets Management (HFA–305), Food and Drug Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852. • For written/paper comments submitted to the Division of Dockets Management, FDA will post your comment, as well as any attachments, except for information submitted, marked and identified, as confidential, if submitted as detailed in ‘‘Instructions.’’ Instructions: All submissions received must include the Docket No. FDA– 2015–D–5105 for ‘‘Postmarket Management of Cybersecurity in Medical Devices.’’ Received comments will be placed in the docket and, except for those submitted as ‘‘Confidential Submissions,’’ publicly viewable at http://www.regulations.gov or at the Division of Dockets Management between 9 a.m. and 4 p.m., Monday through Friday. • Confidential Submissions—To submit a comment with confidential information that you do not wish to be made publicly available, submit your comments only as a written/paper submission. You should submit two copies total. One copy will include the information you claim to be confidential with a heading or cover note that states ‘‘THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION.’’ The Agency will review this copy, including the claimed confidential information, in its consideration of comments. The second copy, which will have the claimed confidential information redacted/blacked out, will be available for public viewing and posted on http:// www.regulations.gov. Submit both copies to the Division of Dockets Management. If you do not wish your name and contact information to be made publicly available, you can provide this information on the cover sheet and not in the body of your comments and you must identify this E:\FR\FM\22JAN1.SGM 22JAN1 3804 Federal Register / Vol. 81, No. 14 / Friday, January 22, 2016 / Notices information as ‘‘confidential.’’ Any information marked as ‘‘confidential’’ will not be disclosed except in accordance with 21 CFR 10.20 and other applicable disclosure law. For more information about FDA’s posting of comments to public dockets, see 80 FR 56469, September 18, 2015, or access the information at: http://www.fda.gov/ regulatoryinformation/dockets/ default.htm. Docket: For access to the docket to read background documents or the electronic and written/paper comments received, go to http:// www.regulations.gov and insert the docket number, found in brackets in the heading of this document, into the ‘‘Search’’ box and follow the prompts and/or go to the Division of Dockets Management, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852. Submit written requests for single copies of the guidance to the Office of the Center Director, Guidance and Policy Development, Center for Devices and Radiological Health, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 66, Rm. 5431, Silver Spring, MD 20993–0002 or the Office of Communication, Outreach, and Development, Center for Biologics Evaluation and Research, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 71, Rm. 3128, Silver Spring, MD 20993–0002. Send one self-addressed adhesive label to assist that office in processing your requests. See the SUPPLEMENTARY INFORMATION section for electronic access to the draft guidance document. FOR FURTHER INFORMATION CONTACT: Suzanne Schwartz, Center for Devices and Radiological Health, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 66, Rm. 5418, Silver Spring, MD 20993–0002, 301–796–6937; or Stephen Ripley, Center for Biologics Evaluation and Research, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 71, Rm. 7301, Silver Spring, MD 20993–0002, 240– 402–7911. SUPPLEMENTARY INFORMATION: mstockstill on DSK4VPTVN1PROD with NOTICES I. Background This draft guidance proposes to inform industry and FDA staff of the Agency’s recommendations as it relates to monitoring, identifying, and addressing cybersecurity vulnerabilities and exploits as part of manufacturers’ postmarket management of medical devices. A growing number of medical devices are designed to be networked to facilitate patient care. Networked medical devices, like other networked computer systems, incorporate software VerDate Sep<11>2014 16:59 Jan 21, 2016 Jkt 238001 that may be vulnerable to cybersecurity threats. The exploitation of vulnerabilities may represent a risk to the safety and effectiveness of medical devices and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits. Proactively addressing cybersecurity risks in medical devices reduces the patient safety impact and the overall risk to public health. For the majority of cases, actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered ‘‘cybersecurity routine updates and patches,’’ for which the FDA does not require advance notification or reporting under 21 CFR part 806. For a small subset of cybersecurity vulnerabilities and exploits that may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death, the FDA would require medical device manufacturers to notify the Agency. In February 2013, the President issued Executive Order 13636 (E.O. 13636), ‘‘Improving Critical Infrastructure Cybersecurity,’’ which recognized that resilient infrastructure is essential to preserving national security, economic stability, and public health and safety in the United States. Furthermore, Presidential Policy Directive-21 (PPD– 21) tasks Federal Government entities to strengthen the security and resilience of critical infrastructure against physical and cyber threats such that these efforts reduce vulnerabilities, minimize consequences, and identify and disrupt threats. In addition, Executive Order 13691, released in February 2015, encourages the development of Information Sharing Analysis Organizations (ISAOs) to serve as focal points for cybersecurity information sharing and collaboration within the private sector and between the private sector and the government. FDA believes that, in alignment with E.O. 13636 and PPD–21, stakeholders should collaborate to leverage available resources and tools to establish a common framework among the information technology community, healthcare delivery organizations (HDOs), clinical user community, and medical device community. These collaborations can lead to the consistent assessment and mitigation of cybersecurity threats, and their impact on medical device safety and effectiveness. FDA plans to hold a public workshop entitled ‘‘Moving Forward: Collaborative Approaches to Medical PO 00000 Frm 00029 Fmt 4703 Sfmt 4703 Device Cybersecurity’’ on January 20– 21, 2016 (80 FR 76022, December 7, 2015). FDA, in collaboration with the National Health Information Sharing Analysis Center, the Department of Health and Human Services, and the Department of Homeland Security, seek to bring together diverse stakeholders to discuss complex challenges in medical device cybersecurity that impact the medical device ecosystem. The purpose of this workshop is to highlight past collaborative efforts; increase awareness of existing maturity models (i.e., frameworks leveraged for benchmarking an organization’s processes) which are used to evaluate cybersecurity status, standards, and tools in development; and to engage the multi-stakeholder community in focused discussions on unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity. In the last few years, Healthcare and Public Health Critical Infrastructure Sector stakeholders have been engaged in many collaborative activities that seek to strengthen medical device cybersecurity and, therefore, enhance patient safety. FDA has contributed to these efforts through guidance, multistakeholder engagement, outreach, and by hosting a 2014 public workshop on cybersecurity entitled ‘‘Collaborative Approaches for Medical Device and Healthcare Cybersecurity’’ (79 FR 56814, September 23, 2014). The 2016 public workshop will build upon previous work by featuring some of the collaborative efforts that address medical device cybersecurity through education and training, information sharing, standards, risk assessment, and tools development. II. Significance of Guidance This draft guidance is being issued consistent with FDA’s good guidance practices regulation (21 CFR 10.115). The draft guidance, when finalized, will represent the Agency’s current thinking on postmarket management of cybersecurity in medical devices. It neither creates nor confers any rights for or on any person and is not binding on FDA or the public. An alternative approach may be used if such approach satisfies the requirements of the applicable statutes and regulations. III. Electronic Access Persons interested in obtaining a copy of the draft guidance may do so by downloading an electronic copy from the Internet. A search capability for all Center for Devices and Radiological Health guidance documents is available at http://www.fda.gov/MedicalDevices/ DeviceRegulationandGuidance/ E:\FR\FM\22JAN1.SGM 22JAN1 Federal Register / Vol. 81, No. 14 / Friday, January 22, 2016 / Notices GuidanceDocuments/default.htm. Guidance documents are also available at http://www.fda.gov/BiologicsBlood Vaccines/GuidanceCompliance RegulatoryInformation/Guidances/ default.htm or http:// www.regulations.gov. Persons unable to download an electronic copy of ‘‘Postmarket Management of Cybersecurity in Medical Devices’’ may send an email request to CDRHGuidance@fda.hhs.gov to receive an electronic copy of the document. Please use the document number 1400044 to identify the guidance you are requesting. IV. Paperwork Reduction Act of 1995 This draft guidance refers to previously approved collections of information found in FDA regulations. These collections of information are subject to review by the Office of Management and Budget (OMB) under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501–3520). The collections of information in 21 CFR part 803 (medical device reporting) have been approved under OMB control number 0910–0437; the collections of information in 21 CFR part 806 (reports of corrections and removals) have been approved under OMB control number 0910–0359; the collections of information in 21 CFR part 810 (medical device recall authority) have been approved under OMB control number 0910–0432; the collections of information in 21 CFR part 814 (premarket approval) have been approved under OMB control number 0910–0231; the collections of information in 21 CFR part 820 (quality system regulations) have been approved under OMB control number 0910–0073; and the collections of information in 21 CFR part 822 (postmarket surveillance of medical devices) have been approved under OMB control number 0910–0449. mstockstill on DSK4VPTVN1PROD with NOTICES V. Other Issues for Consideration The Agency invites comments on the ‘‘Postmarket Management of Cybersecurity in Medical Devices’’ draft guidance, in general, and on the following questions, in particular: • What factors contribute to a manufacturer’s decision whether or not to participate in an ISAO? • In the draft guidance, the FDA is proposing its intention to not enforce certain regulatory requirements for manufacturer’s that are ‘‘participating members ’’ of an ISAO. Should FDA define what it means to be a ‘‘participating member’’ of an ISAO and if so, how should such participation be verified? VerDate Sep<11>2014 16:59 Jan 21, 2016 Jkt 238001 • What are the characteristics (participation, expertise, policies, and practices) of an ISAO that would make it qualified to participate in the sharing and analysis of medical device cybersecurity vulnerabilities? What are the benefits and disadvantages of FDA ‘‘recognizing’’ specific ISAOs as possessing specialized expertise relevant to sharing and analysis of medical device vulnerabilities and what should such recognition entail? • When cybersecurity vulnerability information is not reported to FDA, what information should be reported to the ISAO, and when? • How should the FDA interact with ISAOs, manufacturers, HDOs, security researchers and other stakeholders to maximize the sharing of information concerning cybersecurity threats while maintaining confidentiality and protecting commercial confidential information? Dated: January 15, 2016. Leslie Kux, Associate Commissioner for Policy. [FR Doc. 2016–01172 Filed 1–21–16; 8:45 am] BILLING CODE 4164–01–P Food and Drug Administration [Docket No. FDA–2016–N–0001] Arthritis Advisory Committee; Notice of Meeting; Correction Food and Drug Administration, HHS. ACTION: Dated: January 19, 2016. Leslie Kux, Associate Commissioner for Policy. [FR Doc. 2016–01248 Filed 1–21–16; 8:45 am] BILLING CODE 4164–01–P DEPARTMENT OF HEALTH AND HUMAN SERVICES [Docket No. FDA–2016–N–0001] Advisory Committee; Pharmaceutical Science and Clinical Pharmacology Advisory Committee (Formerly Known as the Advisory Committee for Pharmaceutical Science and Clinical Pharmacology), Renewal AGENCY: Fmt 4703 Sfmt 4703 Notice. The Food and Drug Administration (FDA) is announcing the renewal of the Pharmaceutical Science and Clinical Pharmacology Advisory Committee (formerly known as the Advisory Committee for Pharmaceutical Science and Clinical Pharmacology) by the Commissioner of Food and Drugs (the Commissioner). The Commissioner has determined that it is in the public interest to renew the Pharmaceutical Science and Clinical Pharmacology Advisory Committee for an additional 2 years beyond the charter expiration date. The new charter will be in effect until the January 22, 2018. DATES: Authority for the Pharmaceutical Science and Clinical Pharmacology Advisory Committee will expire on January 22, 2018, unless the Commissioner formally determines that renewal is in the public interest. FOR FURTHER INFORMATION CONTACT: Jennifer Shepherd, Center for Drug Evaluation and Research, Food and SUMMARY: The Food and Drug Administration (FDA) is correcting a notice that appeared in the Federal Register on January 19, 2016 (81 FR 2873). The document announced an ‘‘Arthritis Advisory Committee’’ meeting and contained an incorrect date for individuals requesting oral presentations, and for FDA notifying individuals regarding their request to speak at the meeting. This document corrects those errors. FOR FURTHER INFORMATION CONTACT: Stephanie L. Begansky, Center for Drug Evaluation and Research, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 31, Rm. 2417, Silver Spring, MD 20993–0002, 301– 796–9001, FAX: 301–847–8533. SUPPLEMENTARY INFORMATION: In FR Doc. 2016–00823, appearing on page 2873 in the Federal Register of Tuesday, January 19, 2016, the following corrections are made: Frm 00030 Food and Drug Administration, HHS. ACTION: Notice; correction. SUMMARY: PO 00000 1. On page 2873, in the third column, in the ‘‘Procedure’’ paragraph, the fourth sentence is corrected to read ‘‘Those individuals interested in making formal oral presentations should notify the contact person and submit a brief statement of the general nature of the evidence or arguments they wish to present, the names and addresses of proposed participants, and an indication of the approximate time requested to make their presentation on or before January 28, 2016.’’ 2. On page 2873, in the third column, in the ‘‘Procedure’’ paragraph, the last sentence is corrected to read ‘‘The contact person will notify interested persons regarding their request to speak by January 29, 2016.’’ Food and Drug Administration DEPARTMENT OF HEALTH AND HUMAN SERVICES AGENCY: 3805 E:\FR\FM\22JAN1.SGM 22JAN1

Agencies

[Federal Register Volume 81, Number 14 (Friday, January 22, 2016)]
[Notices]
[Pages 3803-3805]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-01172]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Food and Drug Administration

[Docket No. FDA-2015-D-5105]


Postmarket Management of Cybersecurity in Medical Devices; Draft 
Guidance for Industry and Food and Drug Administration Staff; 
Availability

AGENCY: Food and Drug Administration, HHS.

ACTION: Notice of availability.

-----------------------------------------------------------------------

SUMMARY: The Food and Drug Administration (FDA) is announcing the 
availability of a draft guidance entitled ``Postmarket Management of 
Cybersecurity in Medical Devices.'' This draft guidance informs 
industry and FDA staff of the Agency's recommendations for identifying, 
addressing, and monitoring cybersecurity vulnerabilities and exploits 
for postmarket management of medical devices. This draft guidance is 
neither final nor is it in effect at this time.

DATES: Although you can comment on any guidance at any time (see 21 CFR 
10.115(g)(5)), to ensure that the Agency considers your comment of this 
draft guidance before it begins work on the final version of the 
guidance, submit either electronic or written comments on the draft 
guidance by April 21, 2016.

ADDRESSES: You may submit comments as follows:

Electronic Submissions

    Submit electronic comments in the following way:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments. Comments submitted 
electronically, including attachments, to http://www.regulations.gov 
will be posted to the docket unchanged. Because your comment will be 
made public, you are solely responsible for ensuring that your comment 
does not include any confidential information that you or a third party 
may not wish to be posted, such as medical information, your or anyone 
else's Social Security number, or confidential business information, 
such as a manufacturing process. Please note that if you include your 
name, contact information, or other information that identifies you in 
the body of your comments, that information will be posted on http://www.regulations.gov.
     If you want to submit a comment with confidential 
information that you do not wish to be made available to the public, 
submit the comment as a written/paper submission and in the manner 
detailed (see ``Written/Paper Submissions'' and ``Instructions'').

Written/Paper Submissions

    Submit written/paper submissions as follows:
     Mail/Hand delivery/Courier (for written/paper 
submissions): Division of Dockets Management (HFA-305), Food and Drug 
Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.
     For written/paper comments submitted to the Division of 
Dockets Management, FDA will post your comment, as well as any 
attachments, except for information submitted, marked and identified, 
as confidential, if submitted as detailed in ``Instructions.''
    Instructions: All submissions received must include the Docket No. 
FDA-2015-D-5105 for ``Postmarket Management of Cybersecurity in Medical 
Devices.'' Received comments will be placed in the docket and, except 
for those submitted as ``Confidential Submissions,'' publicly viewable 
at http://www.regulations.gov or at the Division of Dockets Management 
between 9 a.m. and 4 p.m., Monday through Friday.
     Confidential Submissions--To submit a comment with 
confidential information that you do not wish to be made publicly 
available, submit your comments only as a written/paper submission. You 
should submit two copies total. One copy will include the information 
you claim to be confidential with a heading or cover note that states 
``THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION.'' The Agency will 
review this copy, including the claimed confidential information, in 
its consideration of comments. The second copy, which will have the 
claimed confidential information redacted/blacked out, will be 
available for public viewing and posted on http://www.regulations.gov. 
Submit both copies to the Division of Dockets Management. If you do not 
wish your name and contact information to be made publicly available, 
you can provide this information on the cover sheet and not in the body 
of your comments and you must identify this

[[Page 3804]]

information as ``confidential.'' Any information marked as 
``confidential'' will not be disclosed except in accordance with 21 CFR 
10.20 and other applicable disclosure law. For more information about 
FDA's posting of comments to public dockets, see 80 FR 56469, September 
18, 2015, or access the information at: http://www.fda.gov/regulatoryinformation/dockets/default.htm.
    Docket: For access to the docket to read background documents or 
the electronic and written/paper comments received, go to http://www.regulations.gov and insert the docket number, found in brackets in 
the heading of this document, into the ``Search'' box and follow the 
prompts and/or go to the Division of Dockets Management, 5630 Fishers 
Lane, Rm. 1061, Rockville, MD 20852.
    Submit written requests for single copies of the guidance to the 
Office of the Center Director, Guidance and Policy Development, Center 
for Devices and Radiological Health, Food and Drug Administration, 
10903 New Hampshire Ave., Bldg. 66, Rm. 5431, Silver Spring, MD 20993-
0002 or the Office of Communication, Outreach, and Development, Center 
for Biologics Evaluation and Research, Food and Drug Administration, 
10903 New Hampshire Ave., Bldg. 71, Rm. 3128, Silver Spring, MD 20993-
0002. Send one self-addressed adhesive label to assist that office in 
processing your requests. See the SUPPLEMENTARY INFORMATION section for 
electronic access to the draft guidance document.

FOR FURTHER INFORMATION CONTACT: Suzanne Schwartz, Center for Devices 
and Radiological Health, Food and Drug Administration, 10903 New 
Hampshire Ave., Bldg. 66, Rm. 5418, Silver Spring, MD 20993-0002, 301-
796-6937; or Stephen Ripley, Center for Biologics Evaluation and 
Research, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 
71, Rm. 7301, Silver Spring, MD 20993-0002, 240-402-7911.

SUPPLEMENTARY INFORMATION:

I. Background

    This draft guidance proposes to inform industry and FDA staff of 
the Agency's recommendations as it relates to monitoring, identifying, 
and addressing cybersecurity vulnerabilities and exploits as part of 
manufacturers' postmarket management of medical devices. A growing 
number of medical devices are designed to be networked to facilitate 
patient care. Networked medical devices, like other networked computer 
systems, incorporate software that may be vulnerable to cybersecurity 
threats. The exploitation of vulnerabilities may represent a risk to 
the safety and effectiveness of medical devices and typically requires 
continual maintenance throughout the product life cycle to assure an 
adequate degree of protection against such exploits. Proactively 
addressing cybersecurity risks in medical devices reduces the patient 
safety impact and the overall risk to public health.
    For the majority of cases, actions taken by manufacturers to 
address cybersecurity vulnerabilities and exploits are considered 
``cybersecurity routine updates and patches,'' for which the FDA does 
not require advance notification or reporting under 21 CFR part 806. 
For a small subset of cybersecurity vulnerabilities and exploits that 
may compromise the essential clinical performance of a device and 
present a reasonable probability of serious adverse health consequences 
or death, the FDA would require medical device manufacturers to notify 
the Agency.
    In February 2013, the President issued Executive Order 13636 (E.O. 
13636), ``Improving Critical Infrastructure Cybersecurity,'' which 
recognized that resilient infrastructure is essential to preserving 
national security, economic stability, and public health and safety in 
the United States. Furthermore, Presidential Policy Directive-21 (PPD-
21) tasks Federal Government entities to strengthen the security and 
resilience of critical infrastructure against physical and cyber 
threats such that these efforts reduce vulnerabilities, minimize 
consequences, and identify and disrupt threats.
    In addition, Executive Order 13691, released in February 2015, 
encourages the development of Information Sharing Analysis 
Organizations (ISAOs) to serve as focal points for cybersecurity 
information sharing and collaboration within the private sector and 
between the private sector and the government.
    FDA believes that, in alignment with E.O. 13636 and PPD-21, 
stakeholders should collaborate to leverage available resources and 
tools to establish a common framework among the information technology 
community, healthcare delivery organizations (HDOs), clinical user 
community, and medical device community. These collaborations can lead 
to the consistent assessment and mitigation of cybersecurity threats, 
and their impact on medical device safety and effectiveness.
    FDA plans to hold a public workshop entitled ``Moving Forward: 
Collaborative Approaches to Medical Device Cybersecurity'' on January 
20-21, 2016 (80 FR 76022, December 7, 2015). FDA, in collaboration with 
the National Health Information Sharing Analysis Center, the Department 
of Health and Human Services, and the Department of Homeland Security, 
seek to bring together diverse stakeholders to discuss complex 
challenges in medical device cybersecurity that impact the medical 
device ecosystem. The purpose of this workshop is to highlight past 
collaborative efforts; increase awareness of existing maturity models 
(i.e., frameworks leveraged for benchmarking an organization's 
processes) which are used to evaluate cybersecurity status, standards, 
and tools in development; and to engage the multi-stakeholder community 
in focused discussions on unresolved gaps and challenges that have 
hampered progress in advancing medical device cybersecurity.
    In the last few years, Healthcare and Public Health Critical 
Infrastructure Sector stakeholders have been engaged in many 
collaborative activities that seek to strengthen medical device 
cybersecurity and, therefore, enhance patient safety. FDA has 
contributed to these efforts through guidance, multistakeholder 
engagement, outreach, and by hosting a 2014 public workshop on 
cybersecurity entitled ``Collaborative Approaches for Medical Device 
and Healthcare Cybersecurity'' (79 FR 56814, September 23, 2014). The 
2016 public workshop will build upon previous work by featuring some of 
the collaborative efforts that address medical device cybersecurity 
through education and training, information sharing, standards, risk 
assessment, and tools development.

II. Significance of Guidance

    This draft guidance is being issued consistent with FDA's good 
guidance practices regulation (21 CFR 10.115). The draft guidance, when 
finalized, will represent the Agency's current thinking on postmarket 
management of cybersecurity in medical devices. It neither creates nor 
confers any rights for or on any person and is not binding on FDA or 
the public. An alternative approach may be used if such approach 
satisfies the requirements of the applicable statutes and regulations.

III. Electronic Access

    Persons interested in obtaining a copy of the draft guidance may do 
so by downloading an electronic copy from the Internet. A search 
capability for all Center for Devices and Radiological Health guidance 
documents is available at http://www.fda.gov/MedicalDevices/
DeviceRegulationandGuidance/

[[Page 3805]]

GuidanceDocuments/default.htm. Guidance documents are also available at 
http://www.fda.gov/BiologicsBloodVaccines/GuidanceComplianceRegulatoryInformation/Guidances/default.htm or http://www.regulations.gov. Persons unable to download an electronic copy of 
``Postmarket Management of Cybersecurity in Medical Devices'' may send 
an email request to CDRH-Guidance@fda.hhs.gov to receive an electronic 
copy of the document. Please use the document number 1400044 to 
identify the guidance you are requesting.

IV. Paperwork Reduction Act of 1995

    This draft guidance refers to previously approved collections of 
information found in FDA regulations. These collections of information 
are subject to review by the Office of Management and Budget (OMB) 
under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501-3520). The 
collections of information in 21 CFR part 803 (medical device 
reporting) have been approved under OMB control number 0910-0437; the 
collections of information in 21 CFR part 806 (reports of corrections 
and removals) have been approved under OMB control number 0910-0359; 
the collections of information in 21 CFR part 810 (medical device 
recall authority) have been approved under OMB control number 0910-
0432; the collections of information in 21 CFR part 814 (premarket 
approval) have been approved under OMB control number 0910-0231; the 
collections of information in 21 CFR part 820 (quality system 
regulations) have been approved under OMB control number 0910-0073; and 
the collections of information in 21 CFR part 822 (postmarket 
surveillance of medical devices) have been approved under OMB control 
number 0910-0449.

V. Other Issues for Consideration

    The Agency invites comments on the ``Postmarket Management of 
Cybersecurity in Medical Devices'' draft guidance, in general, and on 
the following questions, in particular:
     What factors contribute to a manufacturer's decision 
whether or not to participate in an ISAO?
     In the draft guidance, the FDA is proposing its intention 
to not enforce certain regulatory requirements for manufacturer's that 
are ``participating members '' of an ISAO. Should FDA define what it 
means to be a ``participating member'' of an ISAO and if so, how should 
such participation be verified?
     What are the characteristics (participation, expertise, 
policies, and practices) of an ISAO that would make it qualified to 
participate in the sharing and analysis of medical device cybersecurity 
vulnerabilities? What are the benefits and disadvantages of FDA 
``recognizing'' specific ISAOs as possessing specialized expertise 
relevant to sharing and analysis of medical device vulnerabilities and 
what should such recognition entail?
     When cybersecurity vulnerability information is not 
reported to FDA, what information should be reported to the ISAO, and 
when?
     How should the FDA interact with ISAOs, manufacturers, 
HDOs, security researchers and other stakeholders to maximize the 
sharing of information concerning cybersecurity threats while 
maintaining confidentiality and protecting commercial confidential 
information?

    Dated: January 15, 2016.
Leslie Kux,
Associate Commissioner for Policy.
[FR Doc. 2016-01172 Filed 1-21-16; 8:45 am]
BILLING CODE 4164-01-P