The FDA also recommends monitoring for cybersecurity vulnerabilities,
assessing potential vulnerability impact, and developing mitigation
strategies, including deploying patches or remediating code to neutralize
vulnerabilities.140 These recommendations represent industry standard
vulnerability management practices, and very thoroughly explain the
relationship between vulnerabilities and essential clinical performance.141
Although the Postmarket Guidelines do not establish binding rules for
manufacturers, the details expressed a relatively comprehensive
understanding of vulnerability management practices, which significantly
affect the ability of a manufacturer to manage medical device risk.142
5. Scope of Application
In 2015, the FDA directly communicated its intention to regulate only
mobile applications classified as “medical devices” where their function(s)
could pose a risk to patient safety, though it began communicating its overall
reluctance to regulate mobile health applications in 2014.143 In January of
2016, the FDA first reiterated and solidified its intention to minimize its
involvement in mobile application regulation, in particular general wellness
products.144 This recent, non-binding direction effectively focuses attention
HOMELAND SECURITY, CYBERSECURITY SHARING ACT OF 2015 FINAL GUIDANCE DOCUMENTS
– NOTICE OF AVAILABILITY (June 15, 2016), https://www.gpo.gov/fdsys/pkg/FR-2016-06-
15/pdf/2016-13742.pdf. The ISACs were created in response to Executive Order 13691 on
information sharing, included in the Cybersecurity Information Sharing Act of 2015.
140. POSTMARKET MANAGEMENT, supra note 137, at 11–12.
141. See generally Murugiah Souppaya & Karen Scarfone, NAT’L INST. OF STANDARDS &
TECH., GUIDE TO ENTERPRISE PATCH MANAGEMENT TECHNOLOGIES, 3rd ed. (2013),
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf (explaining the
industry standards for enterprise patch management technologies); Tom Palmaers,
Implementing a Vulnerability Management Program, SANS INST. (2013), https://www.
process-34180. Although the FDA Postmarket Guidance does not specify the level of detail
explained via NIST and SANS, the conceptual vulnerability management language references
these types of programs; and additional detail is introduced to assist manufacturers in
considering medical device risk, such as vulnerability scoring and health impact rankings;
POSTMARKET MANAGEMENT, supra note 137, at 13–15.
142. POSTMARKET MANAGEMENT, supra note 137; see CYBERSECURITY WHITE PAPER,
supra note 127 (illustrating the agency awareness of security risks potentially affecting the
medical device community).
143. U.S. FOOD & DRUG ADMIN., MOBILE MEDICAL APPLICATIONS GUIDANCE FOR
INDUSTRY AND FOOD AND DRUG ADMINISTRATION STAFF 8 (Feb. 9, 2015), http://www.fda.gov/
downloads/MedicalDevices/. . ./UCM263366.pdf [hereinafter MOBILE MEDICAL]; Examples
of Mobile Apps, supra note 118; see Mobile Medical Applications, Guidance for Industry and
Food and Drug Administration Staff- Availability, 78 Fed. Reg 59038 (Sept. 25, 2013)
(LEXIS) (illustrating the FDA’s intent to apply regulatory requirements to only a small subset
of mobile apps).
144. U.S. FOOD & DRUG ADMIN., GENERAL WELLNESS: POLICY FOR LOW RISK DEVICES
GUIDANCE FOR INDUSTRY AND FOOD AND DRUG ADMINISTRATION STAFF 2 (July 26, 2016),