Jan 3, 2017


  • The US FDA has issued final guidance regarding post-market cybersecurity risk management for medical devices.
  • The final guidance comes about a year after the FDA published draft guidance on managing medical device cybersecurity risks.

Medical device regulators in the US have published final guidance addressing post-market cybersecurity risks for applicable devices and software products.

The new FDA document follows draft guidance issued by the agency in early 2016, and includes recommendations for manufacturers to identify and monitor cybersecurity risks associated with their marketed devices. The final guidance also outlines a risk framework registrants should utilize to determine whether changes they make to their devices to address cybersecurity vulnerabilities warrant reporting to the FDA.

The new post-market cybersecurity risk management guidance applies to devices already marketed in the US, as well as those used as parts of interoperable systems and that contain software that qualifies as a medical device.

Emergo will further analyze the new FDA guidance to determine any significant changes or additions to the draft version on which we reported in January 2016.

For more information on US medical device regulatory approaches to cybersecurity, read our whitepaper on the topic.


  • Stewart Eisenhart