[Federal Register Volume 82, Number 78 (Tuesday, April 25, 2017)]
[Pages 19059-19060]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-08314]



Food and Drug Administration

[Docket No. FDA-2017-N-1572]

Cybersecurity of Medical Devices: A Regulatory Science Gap 
Analysis; Public Workshop; Request for Comments

AGENCY: Food and Drug Administration, HHS.

ACTION: Notice of public workshop; request for comments.


SUMMARY: The Food and Drug Administration (FDA, the Agency, or we), in 
association with National Science Foundation (NSF) and Department of 
Homeland Security, Science and Technology (DHS S&T) is announcing the 
following public workshop entitled ``Cybersecurity of Medical Devices: 
A Regulatory Science Gap Analysis.'' The objective of the workshop is 
to facilitate a discussion on the current state of regulatory science 
in the field of cybersecurity of medical devices, with a focus on 
patient safety. The purpose of this public workshop is to catalyze 
collaboration among Health Care and Public Health (HPH) stakeholders to 
identify regulatory science challenges, discuss innovative strategies 
to address those challenges, and encourage proactive development of 
analytical tools, processes, and best practices by the stakeholder 
community to strengthen medical device cybersecurity.

DATES: The public workshop will be held on May 18 and 19, 2017, from 8 
a.m. to 6 p.m. Submit either electronic or written comments on the 
public workshop by June 23, 2017. Late untimely filed comments will not 
be considered. Electronic comments must be submitted on or before June 
23, 2017. The https://www.regulations.gov/ electronic filing system 
will accept comments until midnight Eastern Time at the end of June 23, 
2017. Comments received by mail/hand delivery/courier (for written/
paper submissions) will be considered timely if they are postmarked or 
the delivery service acceptance receipt is on or before that date. See 
the SUPPLEMENTARY INFORMATION section for registration date and 

ADDRESSES: The public workshop will be held at FDA's White Oak Campus, 
10903 New Hampshire Ave., Bldg. 31, Rm. 1503 (The Great Room), Silver 
Spring, MD 20993. Entrance for the public workshop participants (non-
FDA employees) is through Building 1 where routine security check 
procedures will be performed. For parking and security information, 
please refer to https://www.fda.gov/AboutFDA/WorkingatFDA/BuildingsandFacilities/WhiteOakCampusInformation/ucm241740.htm.
    You may submit comments as follows:

Electronic Submissions

    Submit electronic comments in the following way:
     Federal eRulemaking Portal: https://www.regulations.gov/. 
Follow the instructions for submitting comments. Comments submitted 
electronically, including attachments, to https://www.regulations.gov/ 
will be posted to the docket unchanged. Because your comments will be 
made public, you are solely responsible for ensuring that your comments 
do not include any confidential information that you or a third party 
may not wish to be public, such as medical information, your or anyone 
else's Social Security number, or confidential business information, 
such as a manufacturing process. Please note that if you include your 
name, contact information, or other information that identifies you in 
the body of your comments, that information will be posted on https://www.regulations.gov/.
     If you want to submit a comment with confidential 
information that you do not wish to be made available to the public, 
submit the comment as a written/paper submission and in the manner 
detailed (see ``Written/Paper Submissions'' and ``Instructions'').

Written/Paper Submissions

    Submit written/paper submissions as follows:
     Mail/Hand delivery/Courier (for written/paper 
submissions): Division of Dockets Management (HFA-305), Food and Drug 
Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.
     For written/paper comments submitted to the Division of 
Dockets Management, FDA will post your comment, as well as any 
attachments, except for information submitted, marked and identified, 
as confidential, if submitted as detailed in ``Instructions.''
    Instructions: All submissions received must include the Docket No. 
FDA-2017-N-1572 for ``Cybersecurity of Medical Devices: A Regulatory 
Science Gap Analysis.'' Received comments, those filed in a timely 
manner (see DATES), will be placed in the docket and, except for those 
submitted as ``Confidential Submissions,'' publicly viewable at https://www.regulations.gov/ or at the Division of Dockets Management between 
9 a.m. and 4 p.m., Monday through Friday.
     Confidential Submissions--To submit a comment with 
confidential information that you do not wish to be made publicly 
available, submit your comments only as a written/paper submission. You 
should submit two copies total. One copy will include the information 
you claim to be confidential with a heading or cover note that states 
review this copy, including the claimed confidential information, in 
its consideration of comments. The second copy, which will have the 
claimed confidential information redacted/blacked out, will be 
available for public viewing and posted on https://www.regulations.gov/. Submit both copies to the Division of Dockets 
Management. If you do not wish your name and contact information to be 
made publicly available, you can provide this information on the cover 
sheet and not in the body of your comments and you must identify this 
information as ``confidential.'' Any information marked as 
``confidential'' will not be disclosed except in accordance with 21 CFR 
10.20 and other applicable disclosure law. For more information about 
FDA's posting of comments to public dockets, see 80 FR 56469, September 
18, 2015, or access the information at: https://www.gpo.gov/fdsys/pkg/FR-2015-09-18/pdf/2015-23389.pdf.
    Docket: For access to the docket to read background documents or 

[[Page 19060]]

electronic and written/paper comments received, go to https://www.regulations.gov/ and insert the docket number, found in brackets in 
the heading of this document, into the ``Search'' box and follow the 
prompts and/or go to the Division of Dockets Management, 5630 Fishers 
Lane, Rm. 1061, Rockville, MD 20852.

FOR FURTHER INFORMATION CONTACT: Dinesh Patwardhan, Food and Drug 
Administration, Center for Devices and Radiological Health, 10903 New 
Hampshire Ave., Bldg. 64, Rm. 4076, Silver Spring, MD 20993, 301-796-
2622, email: [email protected].


I. Background

    Regulatory Science is defined as the science of developing new 
tools, standards, and approaches to assess the safety, efficacy, 
quality, and performance of all FDA-regulated medical products. At the 
Center for Devices and Radiological Health (CDRH), regulatory science 
serves to accelerate improving the safety, effectiveness, performance, 
and quality of medical devices and radiation-emitting products, and to 
facilitate entry of innovative medical devices into the marketplace. 
The Regulatory Science Subcommittee of the CDRH Center Science Council 
assessed and prioritized the regulatory science gaps for medical 
devices based on input from CDRH Offices (https://www.fda.gov/downloads/MedicalDevices/ScienceandResearch/UCM467552.pdf). These new 
regulatory science scientific tools, technologies, and approaches form 
the bridge to critical 21st century advances in public health. 
Cybersecurity of medical devices was identified as one of the top 10 
regulatory science gaps. FDA, NSF, and DHS S&T are therefore seeking 
input to create a framework to address the cybersecurity regulatory 
science gaps. The scope and nature of this cybersecurity regulatory 
science research framework is designed to be broad to foster 
collaboration across all interested stakeholders. The framework may 
include collaborative research conducted between federal agencies such 
as NSF, DHS S&T, academia, medical device industry, and third party 
experts and other organizations with input from FDA. The collaborative 
research may include one or more of the following settings:
    1. Intramural cybersecurity research conducted within FDA;
    2. Extramural cybersecurity research in collaboration with other 
federal agencies (e.g. DHS S&T); and
    3. Collaborative long term cybersecurity research conducted among 
federal agencies, NSF, academia, medical device industry, and third 
party experts and organizations.
    This public workshop is not designed to discuss FDA policy 
regarding cybersecurity of medical devices.

II. Topics for Discussion at the Public Workshop

    The public workshop sessions are planned to include a number of 
short opening plenary talks, followed by multiple simultaneous working 
sessions organized by broad themes. Attendees are encouraged to 
participate in at least one working session of their choice providing 
unique views, insights, and challenges.
    Following are a list of general topics that are planned to be 
included for discussion during the public workshop.
     Relationship between medical device cybersecurity and 
patient safety;
     Unique cybersecurity and regulatory challenges for medical 
     Differences in cybersecurity between home care, large 
health care providers, and acute care settings (e.g., ambulance, 
emergency room);
     The roles and intersection of information technology 
professionals and biomedical engineering staff;
     Potential metrics, evaluation tools to test and quantify 
the cybersecurity of medical devices and systems;
     Automated and manual tools for communicating cybersecurity 
information about medical device design and function;
     Best practices for cybersecurity of medical devices at 
deployment and how to apply updates throughout the medical device 
     Human factor issues in cybersecurity of medical device 
development, deployment, and use of devices; and
     Best practices in cybersecurity design, deployment, and 
post-deployment activities and procedures.
    Additional suggested topics may be submitted at the time of 
    Each break out session discussion may include following discussion 
elements: (1) Immediate cybersecurity challenges and potential 
solutions to facilitate entry of innovative medical devices into the 
marketplace; (2) Cybersecurity regulatory science gaps to which 
solutions can be developed through additional scientific research; and 
(3) Long-term cybersecurity research challenges which may need 
significant additional basic research.

III. Participating in the Public Workshop

    Registration: To register for the public workshop, please visit 
FDA's Medical Devices News & Events--Workshops & Conferences calendar 
at https://www.fda.gov/MedicalDevices/NewsEvents/WorkshopsConferences/default.htm. (Select this public workshop from the posted events list.) 
Please provide complete contact information for each attendee, 
including name, title, affiliation, address, email, and telephone 
    Registration is free and based on space availability, with priority 
given to early registrants. Persons interested in attending this public 
workshop must register by May 4, 2017, by 4 p.m. Eastern Time. Early 
registration is recommended because seating is limited; therefore, FDA 
may limit the number of participants from each organization. 
Registrants will receive confirmation when they have been accepted. If 
time and space permit, onsite registration on the day of the public 
meeting/public workshop will be provided beginning at 8 a.m. We will 
let registrants know if registration closes before the day of the 
public meeting/public workshop.
    If you need special accommodations due to a disability, please 
contact Susan Monahan, 301-796-5661, email: [email protected], 
no later than May 4, 2017.
    Transcripts: Please be advised that as soon as a transcript of the 
plenary session portion of the public workshop is available, it will be 
accessible at https://www.regulations.gov/. It may be viewed at the 
Division of Dockets Management (see ADDRESSES). A link to the 
transcript will also be available on the Internet at https://www.fda.gov/MedicalDevices/NewsEvents/WorkshopsConferences/default.htm. 
(Select this public workshop from the posted events list).

    Dated: April 20, 2017.
Leslie Kux,
Associate Commissioner for Policy.
[FR Doc. 2017-08314 Filed 4-24-17; 8:45 am]