Locations

People Search

Filter
View All
Loading... Sorry, No results.
bscr
{{attorney.N}} {{attorney.R}}
{{attorney.O}}
{{attorney.E}}
{{attorney.P}}
Page {{currentPage + 1}} of {{totalPages}} [{{attorneys.length}} results]

trending trending ATTORNEYS on baker sterchi

Rachel M. Schafer
Apr 24 Blog

Rachel M. Schafer

Missouri Court of Appeals Rules Causation Opinion Offered by Treating Physician at Trial Must Be Disclosed in Discovery

Alena N. Johnston
Apr 22Firm News

Alena N. Johnston

Alena Johnston Takes on Leadership Roles with DRI Women in the Law Committee

Gregorio Silva
Apr 22 Blog

Gregorio Silva

Resolution Regarding Litigation Challenging CFPB Rule Capping Late Fees May Have Lasting Impact.

loading trending trending Insights on baker sterchi

FILTER
No results found
loading
{{searchMessage}}
  • {{item.N}}
Payment

FDA Issues Draft Guidance Document for Postmarket Management of Cybersecurity in Medical Devices (Part 1 of 4)

Background and Overview of Essential Concepts

As part of the increase in cybersecurity issues in an increasingly networked society, the FDA has decided to provide medical device manufacturers with structure and specificity in its quest to counter threats to patient safety.  Although most of the recommendations offer industry a chance to self-police relatively minor security issues, the agency has proposed that a small subset of vulnerabilities “may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death” and would thus require that manufacturers notify the FDA of imminent threats to the public health.

The genesis of this highlighted commitment to cybersecurity is rooted in Executive Order 13636 – Improving Critical Infrastructure Cybersecurity (Feb. 19 2013), in which cyberthreats to the nation’s welfare were highlighted, specifically including public health and safety as an area of concern.  As a part of this mandate, Presidential Policy Directive 21—Critical Infrastructure Security and Resilience (Feb. 12, 2013) tasks all government entities and private stakeholders to accept responsibility for strengthening the nation’s infrastructure, including the security of medical devices.  In response, industry has created a general framework of best practices, standards and guidelines to address cybersecurity concerns.  In order to foster cooperation within industry, Information Sharing Analysis Organizations (ISAOs) will serve as both focal points for discussion as well as storehouses for the collective wisdom of private sector collaboration.

Following this overview, we will focus three major areas of concern for the FDA, (1) risk assessment (2) remediating and reporting vulnerabilities and (3) the elements of an effective postmarketing cybersecurity program.

In order to understand the more practical aspects of the FDA’s focus, we must first become familiar with several important concepts.  Chief among these concepts is the idea of protecting “essential clinical performance”.  Essential clinical performance is “performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer.”  It is up to the manufacturer to set proper guidelines for acceptable performance, the potential severity of outcomes if performance is compromised and risk acceptance criteria.   The essential clinical performance of the device often determines the relative risk of potential vulnerabilities.  The FDA stated that a cyberthreat to a thermometer is far less that the potential threat caused by a threat to an insulin infusion pump because of the clear difference in the impact of a degradation of the essential clinical performance of the respective devices.  Whereas a near total failure of a thermometer would be unlikely to impact patient safety, any variation in the amount of insulin delivered by an infusion pump would  have an immediate impact on the patient’s blood glucose level.

Once a manufacturer determines the essential clinical performance of a device, the manufacturer must not only be on the lookout for potential threats to the device, but also the vulnerabilities within the device.  Threats are broadly defined as “any circumstance or evert with the potential to adversely impact the essential clinical performance of the device….”  Threats also include things that would impact organizational operations, organizational assets, individuals or other organizations.  Such threats could be impact an information system “via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.”  Threats exploit “vulnerabilities”, which are defined as “weakness(es) within the information system, system security procedures, internal controls or implementations”.

Essentially, the remainder of the guidelines focus on creating a practical roadmap for manufacturers in both dealing with cyberthreats and meeting new FDA reporting requirements.  The ultimate goal is to keep safe and effective products on the market, knowing that some may have various levels of vulnerability to cyberattack.  With proper risk assessment, threat modeling, remediation and postmarketing surveillance, a medical device company should be able to promote patient safety and continue to make medical devices safer in a dangerous world.

Stay tuned for “Part Two of Four – Risk Assessment” coming soon.

related services

About Drug / Device Law Blog

Baker Sterchi's Drug / Device Law Blog examines topics and legal developments of interest to the drug and device industry. Learn more about the editor, Paul Penticuff, and our Drug and Device practice.

Subscribe to rss feeds
RSS Feeds

ABOUT baker sterchi blogs

Baker Sterchi Cowden & Rice LLC (Baker Sterchi) publishes this website as a service to our clients, colleagues and others, for informational purposes only. These materials are not intended to create an attorney-client relationship, and are not a substitute for sound legal advice. You should not base any action or lack of action on any information included in our website, without first seeking appropriate legal or other professional advice. If you contact us through our website or via email, no attorney-client relationship is created, and no confidential information should be transmitted. Communication with Baker Sterchi by e-mail or other transmissions over the Internet may not be secure, and you should not send confidential electronic messages that are not adequately encrypted.

The hiring of an attorney is an important decision, which should not be based solely on information appearing on our website. To the extent our website has provided links to other Internet resources, those links are not under our control, and we are not responsible for their content. We do our best to provide you current, accurate information; however, we cannot guarantee that this information is the most current, correct or complete. In addition, you should not take this information as a promise or indication of future results.

Disclaimer

The Drug / Device Law Blog is made available by Baker Sterchi Cowden & Rice LLC for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your use of this blog site alone creates no attorney client relationship between you and the firm.

Confidential information

Do not include confidential information in comments or other feedback or messages related to the Drug / Device Law Blog, as these are neither confidential nor secure methods of communicating with attorneys. The Drug / Device Law Blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

People Search

Filter
Loading... No results.
bscr
{{attorney.N}} {{attorney.R}}
{{attorney.O}}
{{attorney.E}}
{{attorney.P}}