81 FR 95617 - Postmarket Management of Cybersecurity in Medical Devices; Guidance for Industry and Food and Drug Administration; Availability
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Food and Drug Administration Federal Register Volume 81, Issue 249 (December 28, 2016)
Food and Drug Administration
Federal Register Volume 81, Issue 249 (December 28, 2016)
| Page Range | 95617-95618 | |
| FR Document | 2016-31406 |
[Federal Register Volume 81, Number 249 (Wednesday, December 28, 2016)] [Notices] [Pages 95617-95618] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2016-31406] [[Page 95617]] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Food and Drug Administration [Docket No. FDA-2015-D-5105] Postmarket Management of Cybersecurity in Medical Devices; Guidance for Industry and Food and Drug Administration; Availability AGENCY: Food and Drug Administration, HHS. ACTION: Notice of availability. ----------------------------------------------------------------------- SUMMARY: The Food and Drug Administration (FDA or Agency) is announcing the availability of the guidance entitled ``Postmarket Management of Cybersecurity in Medical Devices.'' FDA is issuing this guidance to inform industry and FDA staff of the Agency's recommendations for managing postmarket cybersecurity vulnerabilities for marketed medical devices. The guidance clarifies FDA's postmarket recommendations with regards to addressing cybersecurity vulnerabilities and emphasizes that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of the postmarket management of their medical devices. DATES: Submit either electronic or written comments on this guidance at any time. General comments on Agency guidance documents are welcome at any time. ADDRESSES: You may submit comments as follows: Electronic Submissions Submit electronic comments in the following way:Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. Comments submitted electronically, including attachments, to http://www.regulations.gov will be posted to the docket unchanged. Because your comment will be made public, you are solely responsible for ensuring that your comment does not include any confidential information that you or a third party may not wish to be posted, such as medical information, your or anyone else's Social Security number, or confidential business information, such as a manufacturing process. Please note that if you include your name, contact information, or other information that identifies you in the body of your comments, that information will be posted on http://www.regulations.gov. If you want to submit a comment with confidential information that you do not wish to be made available to the public, submit the comment as a written/paper submission and in the manner detailed (see ``Written/Paper Submissions'' and ``Instructions''). Written/Paper Submissions Submit written/paper submissions as follows: Mail/Hand delivery/Courier (for written/paper submissions): Division of Dockets Management (HFA-305), Food and Drug Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852. For written/paper comments submitted to the Division of Dockets Management, FDA will post your comment, as well as any attachments, except for information submitted, marked and identified, as confidential, if submitted as detailed in ``Instructions.'' Instructions: All submissions received must include the Docket No. FDA-2015-D-5105 for ``Postmarket Management of Cybersecurity in Medical Devices.'' Received comments will be placed in the docket and, except for those submitted as ``Confidential Submissions,'' publicly viewable at http://www.regulations.gov or at the Division of Dockets Management between 9 a.m. and 4 p.m., Monday through Friday. Confidential Submissions--To submit a comment with confidential information that you do not wish to be made publicly available, submit your comments only as a written/paper submission. You should submit two copies total. One copy will include the information you claim to be confidential with a heading or cover note that states ``THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION.'' The Agency will review this copy, including the claimed confidential information, in its consideration of comments. The second copy, which will have the claimed confidential information redacted/blacked out, will be available for public viewing and posted on http://www.regulations.gov. Submit both copies to the Division of Dockets Management. If you do not wish your name and contact information to be made publicly available, you can provide this information on the cover sheet and not in the body of your comments and you must identify this information as ``confidential.'' Any information marked as ``confidential'' will not be disclosed except in accordance with 21 CFR 10.20 and other applicable disclosure law. For more information about FDA's posting of comments to public dockets, see 80 FR 56469, September 18, 2015, or access the information at: http://www.fda.gov/regulatoryinformation/dockets/default.htm. Docket: For access to the docket to read background documents or the electronic and written/paper comments received, go to http://www.regulations.gov and insert the docket number, found in brackets in the heading of this document, into the ``Search'' box and follow the prompts and/or go to the Division of Dockets Management, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852. An electronic copy of the guidance document is available for download from the Internet. See the SUPPLEMENTARY INFORMATION section for information on electronic access to the guidance. Submit written requests for a single hard copy of the guidance document entitled ``Postmarket Management of Cybersecurity in Medical Devices'' to the Office of the Center Director, Guidance and Policy Development, Center for Devices and Radiological Health, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 66, Rm. 5431, Silver Spring, MD 20993- 0002 or the Office of Communication, Outreach, and Development, Center for Biologics Evaluation and Research, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 71, Rm. 3128, Silver Spring, MD 20993- 0002. Send one self-addressed adhesive label to assist that office in processing your request. FOR FURTHER INFORMATION CONTACT: Suzanne Schwartz, Center for Devices and Radiological Health, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 66, Rm. 5434, Silver Spring, MD 20993-0002, 301- 796-6937 or Stephen Ripley, Center for Biologics Evaluation and Research, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 71, Rm. 7301, Silver Spring, MD 20993-0002, 240-402-7911. SUPPLEMENTARY INFORMATION: I. Background On February 19, 2013, the President issued Executive Order 13636-- Improving Critical Infrastructure Cybersecurity, which recognized that resilient infrastructure is essential to preserving national security, economic stability, and public health and safety in the United States. Executive Order 13636 states that cyber threats to national security are among the most serious and that stakeholders must enhance the cybersecurity and resilience of critical infrastructure. This includes the Healthcare and Public Health Critical Infrastructure Sector. [[Page 95618]] Furthermore, Presidential Policy Directive 21--Critical Infrastructure Security and Resilience (PPD-21) issued on February 12, 2013 tasks Federal Government entities to strengthen the security and resilience of critical infrastructure against physical and cyber threats such that these efforts reduce vulnerabilities, minimize consequences, and identify and disrupt threats. PPD-21 encourages all public and private stakeholders to share responsibility in achieving these outcomes. In recognition of the shared responsibility for cybersecurity, the security industry has established resources including standards, guidelines, best practices and frameworks for stakeholders to adopt a culture of cybersecurity risk management. Best practices include collaboratively assessing cybersecurity intelligence information for risks to device functionality and clinical risk. FDA believes that, in alignment with Executive Order 13636 and PPD-21, public and private stakeholders should collaborate to leverage available resources and tools to establish a common understanding that assesses risks for identified vulnerabilities in medical devices among the information technology community, healthcare delivery organizations, the clinical user community, and the medical device community. These collaborations can lead to the consistent assessment and mitigation of cybersecurity threats, and their impact on medical device safety and effectiveness, ultimately reducing potential risk of patient harm. Part 806 (21 CFR part 806) requires device manufacturers or importers to report promptly to FDA certain actions concerning device corrections and removals. However, the majority of actions taken by manufacturers to address cybersecurity vulnerabilities and exploits, referred to as ``cybersecurity routine updates and patches,'' are generally considered to be a type of device enhancement for which the FDA does not require advance notification or reporting under part 806. For a small subset of actions taken by manufacturers to correct device cybersecurity vulnerabilities and exploits that may pose a risk to health, the FDA would require medical device manufacturers to notify the Agency. This guidance clarifies changes to devices to be considered cybersecurity routine updates and patches (e.g., certain actions to maintain a controlled risk to health). In addition, the guidance outlines circumstances in which FDA does not intend to enforce reporting requirements under part 806 for specific vulnerabilities with uncontrolled risk. Specifically, FDA does not intend to enforce the reporting requirements when circumstances outlined in the guidance are met within the predefined periods of time (e.g., communicate vulnerability to customers and user community and propose a timeline for remediation within 30 days after learning of the vulnerability; fix the vulnerability and validate the change within 60 days after learning of the vulnerability; actively participate in an Information Sharing Analysis Organization (ISAO)). The Agency considers voluntary participation in an Information ISAO a critical component of a medical device manufacturer's comprehensive proactive approach to management of postmarket cybersecurity threats and vulnerabilities and a significant step towards assuring the ongoing safety and effectiveness of marketed medical devices. II. Significance of Guidance This guidance is being issued consistent with FDA's good guidance practices regulation (21 CFR 10.115). The guidance represents the current thinking of FDA on ``Postmarket Management of Cybersecurity in Medical Devices.'' It does not establish any rights for any person and is not binding on FDA or the public. You can use an alternative approach if it satisfies the requirements of the applicable statutes and regulations. III. Electronic Access Persons interested in obtaining a copy of the guidance may do so by downloading an electronic copy from the Internet. A search capability for all Center for Devices and Radiological Health guidance documents is available at http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/default.htm. Guidance documents are also available at http://www.fda.gov/BiologicsBloodVaccines/GuidanceComplianceRegulatoryInformation/Guidances/default.htm or http://www.regulations.gov. Persons unable to download an electronic copy of ``Postmarket Management of Cybersecurity in Medical Devices'' may send an email request to [email protected] to receive an electronic copy of the document. Please use the document number 1400044 to identify the guidance you are requesting. IV. Paperwork Reduction Act of 1995 This guidance refers to previously approved collections of information found in FDA regulations. These collections of information are subject to review by the Office of Management and Budget (OMB) under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501-3520). The collections of information in 21 CFR part 803 (medical device reporting) have been approved under OMB control number 0910-0437; the collections of information in 21 CFR part 806 (reports of corrections and removals) have been approved under OMB control number 0910-0359; the collections of information in 21 CFR part 807, subpart E (premarket notification) have been approved under OMB control number 0910-0120; the collections of information in 21 CFR part 810 (medical device recall authority) have been approved under OMB control number 0910- 0432; the collections of information in 21 CFR part 814 (premarket approval) have been approved under OMB control number 0910-0231; the collections of information in 21 CFR part 820 (quality system regulations) have been approved under OMB control number 0910-0073; and the collections of information in 21 CFR part 822 (postmarket surveillance of medical devices) have been approved under OMB control number 0910-0449. Dated: December 22, 2016. Leslie Kux, Associate Commissioner for Policy. [FR Doc. 2016-31406 Filed 12-27-16; 8:45 am] BILLING CODE 4164-01-P
![Federal Register / Vol. 81, No. 249 / Wednesday, December 28, 2016 / Notices 95617
DEPARTMENT OF HEALTH AND public, submit the comment as a regulatoryinformation/dockets/
HUMAN SERVICES written/paper submission and in the default.htm.
manner detailed (see ‘‘Written/Paper Docket: For access to the docket to
Food and Drug Administration Submissions’’ and ‘‘Instructions’’). read background documents or the
[Docket No. FDA–2015–D–5105] electronic and written/paper comments
Written/Paper Submissions received, go to http://
Postmarket Management of Submit written/paper submissions as www.regulations.gov and insert the
Cybersecurity in Medical Devices; follows: docket number, found in brackets in the
Guidance for Industry and Food and • Mail/Hand delivery/Courier (for heading of this document, into the
Drug Administration; Availability written/paper submissions): Division of ‘‘Search’’ box and follow the prompts
Dockets Management (HFA–305), Food and/or go to the Division of Dockets
AGENCY: Food and Drug Administration, and Drug Administration, 5630 Fishers Management, 5630 Fishers Lane, Rm.
HHS. Lane, Rm. 1061, Rockville, MD 20852. 1061, Rockville, MD 20852.
ACTION: Notice of availability. • For written/paper comments An electronic copy of the guidance
submitted to the Division of Dockets document is available for download
SUMMARY: The Food and Drug
Management, FDA will post your from the Internet. See the
Administration (FDA or Agency) is
comment, as well as any attachments, SUPPLEMENTARY INFORMATION section for
announcing the availability of the
guidance entitled ‘‘Postmarket except for information submitted, information on electronic access to the
Management of Cybersecurity in marked and identified, as confidential, guidance. Submit written requests for a
Medical Devices.’’ FDA is issuing this if submitted as detailed in single hard copy of the guidance
guidance to inform industry and FDA ‘‘Instructions.’’ document entitled ‘‘Postmarket
staff of the Agency’s recommendations Instructions: All submissions received Management of Cybersecurity in
for managing postmarket cybersecurity must include the Docket No. FDA– Medical Devices’’ to the Office of the
vulnerabilities for marketed medical 2015–D–5105 for ‘‘Postmarket Center Director, Guidance and Policy
devices. The guidance clarifies FDA’s Management of Cybersecurity in Development, Center for Devices and
postmarket recommendations with Medical Devices.’’ Received comments Radiological Health, Food and Drug
regards to addressing cybersecurity will be placed in the docket and, except Administration, 10903 New Hampshire
vulnerabilities and emphasizes that for those submitted as ‘‘Confidential Ave., Bldg. 66, Rm. 5431, Silver Spring,
manufacturers should monitor, identify, Submissions,’’ publicly viewable at MD 20993–0002 or the Office of
and address cybersecurity http://www.regulations.gov or at the Communication, Outreach, and
vulnerabilities and exploits as part of Division of Dockets Management Development, Center for Biologics
the postmarket management of their between 9 a.m. and 4 p.m., Monday Evaluation and Research, Food and
medical devices. through Friday. Drug Administration, 10903 New
• Confidential Submissions—To Hampshire Ave., Bldg. 71, Rm. 3128,
DATES: Submit either electronic or
submit a comment with confidential Silver Spring, MD 20993–0002. Send
written comments on this guidance at one self-addressed adhesive label to
any time. General comments on Agency information that you do not wish to be
made publicly available, submit your assist that office in processing your
guidance documents are welcome at any request.
time. comments only as a written/paper
ADDRESSES: You may submit comments submission. You should submit two FOR FURTHER INFORMATION CONTACT:
as follows: copies total. One copy will include the Suzanne Schwartz, Center for Devices
information you claim to be confidential and Radiological Health, Food and Drug
Electronic Submissions with a heading or cover note that states Administration, 10903 New Hampshire
Submit electronic comments in the ‘‘THIS DOCUMENT CONTAINS Ave., Bldg. 66, Rm. 5434, Silver Spring,
following way: CONFIDENTIAL INFORMATION.’’ The MD 20993–0002, 301–796–6937 or
• Federal eRulemaking Portal: http:// Agency will review this copy, including Stephen Ripley, Center for Biologics
www.regulations.gov. Follow the the claimed confidential information, in Evaluation and Research, Food and
instructions for submitting comments. its consideration of comments. The Drug Administration, 10903 New
Comments submitted electronically, second copy, which will have the Hampshire Ave., Bldg. 71, Rm. 7301,
including attachments, to http:// claimed confidential information Silver Spring, MD 20993–0002, 240–
www.regulations.gov will be posted to redacted/blacked out, will be available 402–7911.
the docket unchanged. Because your for public viewing and posted on http:// SUPPLEMENTARY INFORMATION:
comment will be made public, you are www.regulations.gov. Submit both
solely responsible for ensuring that your copies to the Division of Dockets I. Background
comment does not include any Management. If you do not wish your On February 19, 2013, the President
confidential information that you or a name and contact information to be issued Executive Order 13636—
third party may not wish to be posted, made publicly available, you can Improving Critical Infrastructure
such as medical information, your or provide this information on the cover Cybersecurity, which recognized that
anyone else’s Social Security number, or sheet and not in the body of your resilient infrastructure is essential to
confidential business information, such comments and you must identify this preserving national security, economic
as a manufacturing process. Please note information as ‘‘confidential.’’ Any stability, and public health and safety in
information marked as ‘‘confidential’’ the United States. Executive Order
sradovich on DSK3GMQ082PROD with NOTICES
that if you include your name, contact
information, or other information that will not be disclosed except in 13636 states that cyber threats to
identifies you in the body of your accordance with 21 CFR 10.20 and other national security are among the most
comments, that information will be applicable disclosure law. For more serious and that stakeholders must
posted on http://www.regulations.gov. information about FDA’s posting of enhance the cybersecurity and
• If you want to submit a comment comments to public dockets, see 80 FR resilience of critical infrastructure. This
with confidential information that you 56469, September 18, 2015, or access includes the Healthcare and Public
do not wish to be made available to the the information at: http://www.fda.gov/ Health Critical Infrastructure Sector.
VerDate Sep<11>2014 18:54 Dec 27, 2016 Jkt 241001 PO 00000 Frm 00063 Fmt 4703 Sfmt 4703 E:\FR\FM\28DEN1.SGM 28DEN1](https://thefederalregister.org/doc/81_FR_95866/page/1.svg)
![95618 Federal Register / Vol. 81, No. 249 / Wednesday, December 28, 2016 / Notices
Furthermore, Presidential Policy vulnerabilities with uncontrolled risk. collections of information are subject to
Directive 21—Critical Infrastructure Specifically, FDA does not intend to review by the Office of Management and
Security and Resilience (PPD–21) issued enforce the reporting requirements Budget (OMB) under the Paperwork
on February 12, 2013 tasks Federal when circumstances outlined in the Reduction Act of 1995 (44 U.S.C. 3501–
Government entities to strengthen the guidance are met within the predefined 3520). The collections of information in
security and resilience of critical periods of time (e.g., communicate 21 CFR part 803 (medical device
infrastructure against physical and vulnerability to customers and user reporting) have been approved under
cyber threats such that these efforts community and propose a timeline for OMB control number 0910–0437; the
reduce vulnerabilities, minimize remediation within 30 days after collections of information in 21 CFR
consequences, and identify and disrupt learning of the vulnerability; fix the part 806 (reports of corrections and
threats. PPD–21 encourages all public vulnerability and validate the change removals) have been approved under
and private stakeholders to share within 60 days after learning of the OMB control number 0910–0359; the
responsibility in achieving these vulnerability; actively participate in an collections of information in 21 CFR
outcomes. Information Sharing Analysis part 807, subpart E (premarket
In recognition of the shared Organization (ISAO)). The Agency notification) have been approved under
responsibility for cybersecurity, the considers voluntary participation in an OMB control number 0910–0120; the
security industry has established Information ISAO a critical component collections of information in 21 CFR
resources including standards, of a medical device manufacturer’s part 810 (medical device recall
guidelines, best practices and comprehensive proactive approach to authority) have been approved under
frameworks for stakeholders to adopt a management of postmarket OMB control number 0910–0432; the
culture of cybersecurity risk cybersecurity threats and vulnerabilities collections of information in 21 CFR
management. Best practices include and a significant step towards assuring part 814 (premarket approval) have been
collaboratively assessing cybersecurity the ongoing safety and effectiveness of approved under OMB control number
intelligence information for risks to marketed medical devices. 0910–0231; the collections of
device functionality and clinical risk. information in 21 CFR part 820 (quality
FDA believes that, in alignment with II. Significance of Guidance
system regulations) have been approved
Executive Order 13636 and PPD–21, This guidance is being issued under OMB control number 0910–0073;
public and private stakeholders should consistent with FDA’s good guidance and the collections of information in 21
collaborate to leverage available practices regulation (21 CFR 10.115). CFR part 822 (postmarket surveillance
resources and tools to establish a The guidance represents the current of medical devices) have been approved
common understanding that assesses thinking of FDA on ‘‘Postmarket under OMB control number 0910–0449.
risks for identified vulnerabilities in Management of Cybersecurity in
medical devices among the information Medical Devices.’’ It does not establish Dated: December 22, 2016.
technology community, healthcare any rights for any person and is not Leslie Kux,
delivery organizations, the clinical user binding on FDA or the public. You can Associate Commissioner for Policy.
community, and the medical device use an alternative approach if it satisfies [FR Doc. 2016–31406 Filed 12–27–16; 8:45 am]
community. These collaborations can the requirements of the applicable BILLING CODE 4164–01–P
lead to the consistent assessment and statutes and regulations.
mitigation of cybersecurity threats, and
III. Electronic Access
their impact on medical device safety DEPARTMENT OF HEALTH AND
and effectiveness, ultimately reducing Persons interested in obtaining a copy HUMAN SERVICES
potential risk of patient harm. of the guidance may do so by
Part 806 (21 CFR part 806) requires downloading an electronic copy from Food and Drug Administration
device manufacturers or importers to the Internet. A search capability for all [Docket Nos. FDA–2016–E–1179; FDA–
report promptly to FDA certain actions Center for Devices and Radiological 2016–E–1181; FDA–2016–E–1182]
concerning device corrections and Health guidance documents is available
removals. However, the majority of at http://www.fda.gov/MedicalDevices/ Determination of Regulatory Review
actions taken by manufacturers to DeviceRegulationandGuidance/ Period for Purposes of Patent
address cybersecurity vulnerabilities GuidanceDocuments/default.htm. Extension; IMLYGIC
and exploits, referred to as Guidance documents are also available
‘‘cybersecurity routine updates and at http://www.fda.gov/BiologicsBlood AGENCY: Food and Drug Administration,
patches,’’ are generally considered to be Vaccines/GuidanceCompliance HHS.
a type of device enhancement for which RegulatoryInformation/Guidances/ ACTION: Notice.
the FDA does not require advance default.htm or http://
notification or reporting under part 806. www.regulations.gov. Persons unable to SUMMARY: The Food and Drug
For a small subset of actions taken by download an electronic copy of Administration (FDA) has determined
manufacturers to correct device ‘‘Postmarket Management of the regulatory review period for
cybersecurity vulnerabilities and Cybersecurity in Medical Devices’’ may IMLYGIC and is publishing this notice
exploits that may pose a risk to health, send an email request to CDRH- of that determination as required by
the FDA would require medical device Guidance@fda.hhs.gov to receive an law. FDA has made the determination
manufacturers to notify the Agency. electronic copy of the document. Please because of the submission of
This guidance clarifies changes to applications to the Director of the U.S.
sradovich on DSK3GMQ082PROD with NOTICES
use the document number 1400044 to
devices to be considered cybersecurity identify the guidance you are Patent and Trademark Office (USPTO),
routine updates and patches (e.g., requesting. Department of Commerce, for the
certain actions to maintain a controlled extension of a patent which claims that
risk to health). In addition, the guidance IV. Paperwork Reduction Act of 1995 human biological product.
outlines circumstances in which FDA This guidance refers to previously DATES: Anyone with knowledge that any
does not intend to enforce reporting approved collections of information of the dates as published (see the
requirements under part 806 for specific found in FDA regulations. These SUPPLEMENTARY INFORMATION section) are
VerDate Sep<11>2014 18:54 Dec 27, 2016 Jkt 241001 PO 00000 Frm 00064 Fmt 4703 Sfmt 4703 E:\FR\FM\28DEN1.SGM 28DEN1](https://thefederalregister.org/doc/81_FR_95866/page/2.svg)
Document Created: 2016-12-28 02:16:33
Document Modified: 2016-12-28 02:16:33
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice of availability. | |
| Dates | Submit either electronic or written comments on this guidance at any time. General comments on Agency guidance documents are welcome at any time. | |
| Contact | Suzanne Schwartz, Center for Devices and Radiological Health, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 66, Rm. 5434, Silver Spring, MD 20993-0002, 301- 796-6937 or Stephen Ripley, Center for Biologics Evaluation and Research, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 71, Rm. 7301, Silver Spring, MD 20993-0002, 240-402-7911. | |
| FR Citation | 81 FR 95617 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR