Cybersecurity in Medical Devices: FDA Guidance and Product Liability Considerations

The number of medical devices with wireless and network-connected capabilities continues to grow. At the same time, by some reports the number of ransomware attacks on health care facilities has more than doubled in recent years.[1] Recent cyberattacks and/or ransomware attacks on healthcare systems have resulted in stolen patient data, emergency room closures, diversion of ambulances, and cancellation of surgeries and other appointments. Given the potential disruptions in patient care in connection with these incidents, the cybersecurity of medical devices with wireless and network-connected capabilities becomes increasingly important to avoid and mitigate these possible impacts.

Against this backdrop, the Federal Food and Drug Administration (FDA) recently published its final guidance on “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.”[2] This guidance sets forth FDA’s recommendations regarding cybersecurity controls to help ensure device safety and effectiveness, both pre- and post-market. And while FDA’s guidance does not have the force of law, adherence to the guidance will help medical device manufacturers and sponsors meet regulatory expectations with respect to cybersecurity.

Among numerous highly-detailed technical recommendations, FDA’s new cybersecurity guidance highlights the overarching general principles that FDA uses to frame its regulatory approach:

1. Cybersecurity is part of device safety and the quality system regulations. Under the broadly-applicable quality systems requirements, 21 CFR Part 820, all device manufacturers and sponsors must establish and follow quality systems to help ensure that their products consistently meet applicable requirements and specifications. FDA’s guidance shows—and provides examples of—how documentation that may be relevant to a device manufacturer or sponsor’s compliance with the quality systems requirements can also be used to show how it is addressing cybersecurity considerations for the device.
2. Designing for security. FDA recommends that going forward, device manufacturers and sponsors include information in their premarket submissions regarding how FDA’s security objectives—such as authenticity, authorization, and confidentiality—are addressed by the device’s design.
3. FDA recognizes that a lack of cybersecurity information for device users has the potential to impact the safety and effectiveness of a device throughout its lifespan. Accordingly, FDA recommends that cybersecurity information be included in the device labeling.
4. Submission documentation. FDA also recognizes that the necessary cybersecurity submission documentation will likely be tailored to the cybersecurity risk of each specific device. This means that for device cybersecurity, manufacturers and sponsors of more complex devices will be expected to provide more detailed and thorough submissions that reflect more rigorous testing.

While FDA’s guidance is primarily prospective, its existence and the realities it is intended to confront highlight potential uses for the guidance in the event of product liability litigation. For example:

• Where a device is approved though FDA’s pre-market approval process, compliance with FDA’s cybersecurity guidance may support the pre-emption of certain legal claims regarding the device’s design, labeling and warnings.
• Maintaining the type of robust documentation that FDA recommends in the guidance may be helpful in defending a product liability suit.
• Abiding by FDA’s recommendations in this new guidance may make available to device manufacturers or sponsors a regulatory compliance defense to a products liability claim that is available under the common law of certain states.

At bottom, medical device manufacturers and sponsors should familiarize themselves with the technical and broader implications of FDA’s guidance and take steps to ensure compliance. Though we are unaware of extensive product liability litigation concerning cybersecurity of a medical device at present, we will report on new developments in what could be a burgeoning area of the law.