[Federal Register Volume 83, Number 202 (Thursday, October 18, 2018)]
[Notices]
[Pages 52835-52837]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-22697]



-----------------------------------------------------------------------



DEPARTMENT OF HEALTH AND HUMAN SERVICES



Food and Drug Administration



[Docket No. FDA-2018-D-3443]




Content of Premarket Submissions for Management of Cybersecurity 

in Medical Devices; Draft Guidance for Industry and Food and Drug 

Administration Staff; Availability



AGENCY: Food and Drug Administration, HHS.



ACTION: Notice of availability.



-----------------------------------------------------------------------



SUMMARY: The Food and Drug Administration (FDA or Agency) is announcing 

the availability of the draft guidance entitled ``Content of Premarket 

Submissions for Management of Cybersecurity in Medical Devices.'' As 

more medical devices are becoming interconnected, cybersecurity threats 

have become more numerous, more frequent, more severe, and more 

clinically impactful. There is a need to provide manufacturers with 

specific technical recommendations (e.g., appropriate threat modeling 

and other premarket testing) to help ensure device cybersecurity. The 

updates to the existing ``Content of Premarket Submissions for 

Management of Cybersecurity in Medical Devices'' guidance is 

anticipated to better protect against risks, such as ransomware 

campaigns, that could disrupt clinical operations and delay patient 

care and risks, such as exploiting a vulnerability that enables attacks 

on multiple patients. This draft guidance is not final nor is it in 

effect at this time.



DATES: Submit either electronic or written comments on the draft 

guidance by March 18, 2019 to ensure that the Agency considers your 

comment on this draft guidance before it begins work on the final 

version of the guidance.



ADDRESSES: You may submit comments on any guidance at any time as 

follows:



Electronic Submissions



    Submit electronic comments in the following way:

     Federal eRulemaking Portal: https://www.regulations.gov. 

Follow the instructions for submitting comments. Comments submitted 

electronically, including attachments, to https://www.regulations.gov 

will be posted to the docket unchanged. Because your comment will be 

made public, you are solely responsible for ensuring that your comment 

does not include any confidential information that you or a third party 

may not wish to be posted, such as medical information, your or anyone 

else's Social Security number, or confidential business information, 

such as a manufacturing process. Please note that if you include your 

name, contact information, or other information that identifies you in 

the body of your comments, that information will be posted on https://www.regulations.gov.

     If you want to submit a comment with confidential 

information that you do not wish to be made available to the public, 

submit the comment as a written/paper submission and in the manner 

detailed (see ``Written/Paper Submissions'' and ``Instructions'').



Written/Paper Submissions



    Submit written/paper submissions as follows:

     Mail/Hand delivery/Courier (for written/paper 

submissions): Dockets Management Staff (HFA-305), Food and Drug 

Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.

     For written/paper comments submitted to the Dockets 

Management Staff, FDA will post your comment, as



[[Page 52836]]



well as any attachments, except for information submitted, marked and 

identified, as confidential, if submitted as detailed in 

``Instructions.''

    Instructions: All submissions received must include the Docket No. 

FDA-2018-D-3443 for ``Content of Premarket Submissions for Management 

of Cybersecurity in Medical Devices.'' Received comments will be placed 

in the docket and, except for those submitted as ``Confidential 

Submissions,'' publicly viewable at https://www.regulations.gov or at 

the Dockets Management Staff between 9 a.m. and 4 p.m., Monday through 

Friday.

     Confidential Submissions--To submit a comment with 

confidential information that you do not wish to be made publicly 

available, submit your comments only as a written/paper submission. You 

should submit two copies total. One copy will include the information 

you claim to be confidential with a heading or cover note that states 

``THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION.'' The Agency will 

review this copy, including the claimed confidential information, in 

its consideration of comments. The second copy, which will have the 

claimed confidential information redacted/blacked out, will be 

available for public viewing and posted on https://www.regulations.gov. 

Submit both copies to the Dockets Management Staff. If you do not wish 

your name and contact information to be made publicly available, you 

can provide this information on the cover sheet and not in the body of 

your comments and you must identify this information as 

``confidential.'' Any information marked as ``confidential'' will not 

be disclosed except in accordance with 21 CFR 10.20 and other 

applicable disclosure law. For more information about FDA's posting of 

comments to public dockets, see 80 FR 56469, September 18, 2015, or 

access the information at: https://www.gpo.gov/fdsys/pkg/FR-2015-09-18/pdf/2015-23389.pdf.

    Docket: For access to the docket to read background documents or 

the electronic and written/paper comments received, go to https://www.regulations.gov and insert the docket number, found in brackets in 

the heading of this document, into the ``Search'' box and follow the 

prompts and/or go to the Dockets Management Staff, 5630 Fishers Lane, 

Rm. 1061, Rockville, MD 20852.

    You may submit comments on any guidance at any time (see 21 CFR 

10.115(g)(5)).

    An electronic copy of the guidance document is available for 

download from the internet. See the SUPPLEMENTARY INFORMATION section 

for information on electronic access to the guidance. Submit written 

requests for a single hard copy of the draft guidance document entitled 

``Content of Premarket Submissions for Management of Cybersecurity in 

Medical Devices'' to the Office of the Center Director, Guidance and 

Policy Development, Center for Devices and Radiological Health, Food 

and Drug Administration, 10903 New Hampshire Ave., Bldg. 66, Rm. 5431, 

Silver Spring, MD 20993-0002 or the Office of Communication, Outreach, 

and Development, Center for Biologics Evaluation and Research, Food and 

Drug Administration, 10903 New Hampshire Ave., Bldg. 71, Rm. 3128, 

Silver Spring, MD 20993-0002. Send one self-addressed adhesive label to 

assist that office in processing your request.



FOR FURTHER INFORMATION CONTACT: Suzanne Schwartz, Center for Devices 

and Radiological Health, Food and Drug Administration, 10903 New 

Hampshire Ave., Bldg. 66, Rm. 5434, Silver Spring, MD 20993-0002, 301-

796-6937, or Stephen Ripley, Center for Biologics Evaluation and 

Research, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 

71, Rm. 7301, Silver Spring, MD 20993, 240-402-7911.



SUPPLEMENTARY INFORMATION: 



I. Background



    The need for effective cybersecurity to assure medical device 

functionality and safety has become more important with the increasing 

use of wireless, internet- and network-connected devices, and the 

frequent electronic exchange of medical device-related health 

information. In addition, cybersecurity threats to the healthcare 

sector have become more frequent, more severe, and more clinically 

impactful. Cybersecurity incidents have rendered medical devices and 

hospital networks inoperable, disrupting the delivery of patient care 

across healthcare facilities in the United States and globally. Such 

cyberattacks and exploits can delay diagnoses and/or treatment and may 

lead to patient harm.

    Although FDA issued guidance addressing recommendations for device 

cybersecurity information in premarket submissions in 2014, \1\ the 

rapidly evolving landscape, and the increased understanding of the 

threats and their potential mitigations necessitates an updated 

approach. This draft guidance is intended to provide recommendations to 

industry regarding cybersecurity device design, labeling, and the 

documentation that FDA recommends be included in premarket submissions 

for devices with cybersecurity risk. These recommendations can 

facilitate an efficient premarket review process and help ensure that 

marketed medical devices are sufficiently resilient to cybersecurity 

threats.

---------------------------------------------------------------------------



    \1\ ``Content of Premarket Submissions for Management of 

Cybersecurity in Medical Devices--Guidance for Industry and Food and 

Drug Administration Staff'' at https://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.

---------------------------------------------------------------------------



    FDA plans to hold a public workshop on January 29th and January 

30th, 2019.\2\ FDA seeks to bring together diverse stakeholders to 

discuss, in-depth, the draft guidance, ``Content of Premarket 

Submissions for Management of Cybersecurity in Medical Devices'' and 

the subtopic of the draft guidance regarding a Cybersecurity Bill of 

Materials (CBOM), which can be a critical element in identifying 

assets, threats, and vulnerabilities.

---------------------------------------------------------------------------



    \2\ https://www.fda.gov/MedicalDevices/NewsEvents/WorkshopsConferences/default.htm.

---------------------------------------------------------------------------



II. Significance of Guidance



    This draft guidance is being issued consistent with FDA's good 

guidance practices regulation (21 CFR 10.115). The draft guidance, when 

finalized, will represent the current thinking of FDA on Content of 

Premarket Submissions for Management of Cybersecurity in Medical 

Devices. It does not establish any rights for any person and is not 

binding on FDA or the public. You can use an alternative approach if it 

satisfies the requirements of the applicable statutes and regulations. 

This guidance is not subject to Executive Order 12866.



III. Electronic Access



    Persons interested in obtaining a copy of the draft guidance may do 

so by downloading an electronic copy from the internet. A search 

capability for all Center for Devices and Radiological Health guidance 

documents is available at https://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/default.htm. This 

guidance document is also available at https://www.regulations.gov or 

https://www.fda.gov/BiologicsBloodVaccines/GuidanceComplianceRegulatoryInformation/default.htm. Persons unable to 

download an electronic copy of ``Content of Premarket Submissions for 

Management of Cybersecurity in Medical Devices'' may send an email 

request to [email protected] to receive an electronic copy of 

the document. Please use the document



[[Page 52837]]



number 1825 to identify the guidance you are requesting.



IV. Paperwork Reduction Act of 1995



    This draft guidance refers to previously approved collections of 

information. These collections of information are subject to review by 

the Office of Management and Budget (OMB) under the Paperwork Reduction 

Act of 1995 (44 U.S.C. 3501-3520). The collections of information in 

the following FDA regulations and guidance have been approved by OMB as 

listed in the following table:



------------------------------------------------------------------------

                                                            OMB control

   21 CFR part or guidance               Topic                  No.

------------------------------------------------------------------------

807, subpart E...............  Premarket notification...       0910-0120

814, subparts A through E....  Premarket approval.......       0910-0231

814, subpart H...............  Humanitarian Device             0910-0332

                                Exemption.

812..........................  Investigational Device          0910-0078

                                Exemption.

``De Novo Classification       De Novo classification          0910-0844

 Process (Evaluation of         process.

 Automatic Class III

 Designation)''.

801..........................  Medical Device Labeling         0910-0485

                                Regulations.

820..........................  Current Good                    0910-0073

                                Manufacturing Practice

                                (CGMP); Quality System

                                (QS) Regulation.

------------------------------------------------------------------------



V. Other Issues for Consideration



    The Agency invites comments on the ``Content of Premarket 

Submissions for Management of Cybersecurity in Medical Devices'' draft 

guidance, in general, and on the following topics, in particular:

     Definition of CBOM:



[cir] Whether a CBOM should include both software and hardware 

components



     Type of information and level of detail that should be 

included in a CBOM

     Effective mechanisms for sharing CBOM information



     Format the CBOM should take:



[cir] Available formats that could be leveraged

[cir] Whether multiple formats would be able to co-exist



     Appropriate frequency for updating the CBOM

     Features of a CBOM that would make it automatically 

consumable



    Dated: October 12, 2018.

Leslie Kux,

Associate Commissioner for Policy.

[FR Doc. 2018-22697 Filed 10-17-18; 8:45 am]

 BILLING CODE 4164-01-P