Cybersecurity
A cybersecurity incident affecting a deployed medical device is simultaneously an IT security event, a potential product safety event, and a potential FDA regulatory reporting event. The response plan must address all three dimensions — and must be designed before the incident occurs, not assembled during the crisis.
Build Your Incident Response ProgramPostmarket Cybersecurity
Section 524B of the FD&C Act requires manufacturers of cyber devices to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits on a reasonably justified, risk-based schedule. The statute also requires manufacturers to provide security patches and updates. These are mandatory postmarket obligations — not best practices — for any manufacturer whose device meets the definition of a cyber device.
When a cybersecurity vulnerability or exploit results in or has the potential to result in device malfunction that could cause or contribute to serious injury or death, it may trigger reporting obligations under 21 CFR Part 803 (MDR reporting) or 21 CFR Part 806 (recalls and corrections). The intersection of cybersecurity events with traditional device safety reporting creates a compliance complexity that most device manufacturers haven't fully mapped. A cybersecurity ransomware attack that temporarily disables a device's safety alarms is not just an IT incident — it may be a reportable device malfunction. We help manufacturers understand and document the decision tree for when a cybersecurity event becomes a regulatory reporting event.
A Coordinated Vulnerability Disclosure (CVD) program establishes the channel through which security researchers, customers, and healthcare delivery organizations can report identified vulnerabilities to the manufacturer, and the process through which the manufacturer investigates, verifies, remediates, and discloses those vulnerabilities. FDA's postmarket cybersecurity guidance strongly encourages manufacturers to establish CVD programs and identifies participation in ISAOs (Information Sharing and Analysis Organizations) — particularly the Health-ISAC — as a recommended component of the postmarket cybersecurity program.
A CVD program that is too restrictive — discouraging researcher disclosure through aggressive legal language or failure to acknowledge reports — drives vulnerability information to public disclosure rather than coordinated remediation. A CVD program that is too permissive without defined scope and timelines creates unmanageable reporting burden. We design CVD programs that balance researcher access with operational manageability and that align with FDA's expectations for coordinated vulnerability management.
Not all cybersecurity incidents require the same response. A tiered incident classification system distinguishes between routine vulnerability disclosures, active exploits against deployed devices with limited patient impact, and critical incidents where device safety function is compromised. Each tier triggers a defined response process: notification chains, technical investigation procedures, regulatory notification assessment, customer communication, and remediation deployment timelines. Defining these tiers and response procedures before incidents occur is the difference between a controlled response and an improvised one.
Get Started
A cybersecurity incident with an unplanned response is a regulatory and reputational crisis. We build incident response programs designed for the unique intersection of device safety, HIPAA, and FDA postmarket cybersecurity requirements.