Posted: 04 Jan 2017 07:49 PM PST
By Allyson B. Mullen -
Last week, FDA finalized the guidance document, “Postmarket Management of Cybersecurity in Medical Devices.” We previously blogged on the draft guidance released in early 2016 (here). The final guidance is similar to the draft issued in early 2016. There are, however, several noteworthy and significant edits.
In our view, the most significant of these edits is that FDA has changed nearly all references to “essential clinical performance” to “patient harm.” This change appears to shift the way in which FDA plans to evaluate cybersecurity risk—from essential clinical performance to the potential for patient harm. Specifically, FDA modified the purpose of the guidance to read, “this guidance recommends how to assess whether the risk of patient harm is sufficiently controlled or uncontrolled. This assessment is based on an evaluation of the likelihood of exploit, the impact of exploitation on the device’s safety and essential performance, and the severity of patient harm if exploited.” As exemplified by this quote, patient harm is now a key element of the final guidance.
The draft guidance dedicated several sections to defining and discussing essential clinical performance. It stated:
essential clinical performance means performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer. Compromise of the essential clinical performance can produce a hazardous situation that results in harm and/or may require intervention to prevent harm.Thus, while the shift from essential clinical performance to patient harm is significant for purpose of the guidance, it may ultimately be simpler for manufacturers to apply. Essential clinical performance incorporated the concept of harm, but also used more amorphous concepts such as acceptable and unacceptable clinical risk. These elements may have been difficult for manufacturers to determine on a case-by-case basis. Patient harm appears to be more straightforward and in line with standards that the device industry is already used to, including for example, reporting corrections and removals under 21 C.F.R. Part 806, which is required when the action is undertaken to reduce a risk to health.
A few additional important changes include:
PRIMER DOMINGO DE ADVIENTO
Hace 14 horas