Almost a year after releasing draft guidance on how manufacturers should deal with post-market cybersecurity vulnerabilities in medical devices, the FDA issued final guidance that clarifies requirements for reporting uncontrolled cyber vulnerability.
Such an uncontrolled risk must be reported to the FDA unless:
- There are no known serious adverse events or deaths associated with the vulnerability;
- No later than 30 days after learning of the vulnerability, the manufacturer tells its customers and users about it, identifies interim compensating controls, and develops a remediation plan; and
- No later than 60 days after learning of the vulnerability, the manufacturer eliminates it, validates the change, and distributes an adequate solution to end users. Additionally, the manufacturer should follow up with end users as needed beyond the initial 60 day period. — Jeff Kinney