Why FDA's Medical Device Cyber Recommendations 'Have Teeth'Attorney Linda Malek Discusses New Premarket Device Security Draft Guidance
The inclusion of a new secure product development framework for manufacturers is a significant addition to recently updated Food and Drug Administration draft guidance for the cybersecurity of premarket medical devices, says attorney Linda Malek of the law firm Moses & Singer LLP.
"At a high level, in prior guidance … the FDA had been emphasizing the notion that security should be part of the design and whole life cycle of a medical device," she says.
But with the introduction of a secure product development framework in draft guidance issued in April, the FDA is much more detailed in outlining what it expects medical device manufacturers to do in the design of their devices, she says (see: FDA Document Details Cyber Expectations for Device Makers).
"That includes security risk management, security risk architecture, cybersecurity testing … and just really getting into much more specificity," Malek says in an interview with Information Security Media Group.
And importantly, despite the FDA's guidance documents, when finalized, being labeled as nonbinding, "I don't think we should assume at all that the FDA's guidance doesn't have teeth. It has teeth - and force," she says.
"To the extent that these are recommendations from the FDA in terms of how devices should implement cybersecurity measures in order to comply with the larger regulatory requirements, the FDA is indicating what its expectations are and what it will be looking at as it reviews premarket applications," she says.
"So if a device manufacturer does not implement this guidance as it rolls out its premarket applications, I think that there would be delays, a lot of questions asked. There's a lot of incentive for device makers to follow the guidance in order to obtain device approval."
In the interview (see audio link below photo), Malek also discusses:
- Other highlights of the FDA's draft guidance for premarket medical devices, for which the FDA is accepting public comment until July 7;
- Why the FDA should consider updating its 2016 guidance for postmarket medical device cybersecurity;
- Recent congressional proposals, including legislation that could empower the FDA with more statutory authority over medical device cybersecurity.
As chair of Moses & Singer’s healthcare and privacy and cybersecurity practices, Malek advises on new laws and regulations involving the impact of technology on the delivery of healthcare. She co-led the recent launch of the firm's consulting company, MS Strategic Solutions LLC, which provides advisory services to clients in the digital healthcare and life sciences sectors.