Skip to Content

We invite you to try out our new beta eCFR site at We’ve made big changes to make the eCFR easier to use. Be sure to leave feedback using the 'Help' button on the bottom right of each page!


Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis; Public Workshop; Request for Comments

Document Details

Information about this document as published in the Federal Register.

Document Statistics
Document page views are updated periodically throughout the day and are cumulative counts for this document including its time on Public Inspection. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.
Enhanced Content

Relevant information about this document from provides additional context. This information is not part of the official Federal Register document.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


Food and Drug Administration, HHS.


Notice of public workshop; request for comments.


The Food and Drug Administration (FDA, the Agency, or we), in association with National Science Foundation (NSF) and Department of Homeland Security, Science and Technology (DHS S&T) is announcing the following public workshop entitled “Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis.” The objective of the workshop is to facilitate a discussion on the current state of regulatory science in the field of cybersecurity of medical devices, with a focus on patient safety. The purpose of this public workshop is to catalyze collaboration among Health Care and Public Health (HPH) stakeholders to identify regulatory science challenges, discuss innovative strategies to address those challenges, and encourage proactive development of analytical tools, processes, and best practices by the stakeholder community to strengthen medical device cybersecurity.


The public workshop will be held on May 18 and 19, 2017, from 8 a.m. to 6 p.m. Submit either electronic or written comments on the public workshop by June 23, 2017. Late untimely filed comments will not be considered. Electronic comments must be submitted on or before June 23, 2017. The​ electronic filing system will accept comments until midnight Eastern Time at the end of June 23, 2017. Comments received by mail/hand delivery/courier (for written/paper submissions) will be considered timely if they are postmarked or the delivery service acceptance receipt is on or before that date. See the SUPPLEMENTARY INFORMATION section for registration date and information.


The public workshop will be held at FDA's White Oak Campus, 10903 New Hampshire Ave., Bldg. 31, Rm. 1503 (The Great Room), Silver Spring, MD 20993. Entrance for the public workshop participants (non-FDA employees) is through Building 1 where routine security check procedures will be performed. For parking and security information, please refer to​AboutFDA/​WorkingatFDA/​BuildingsandFacilities/​WhiteOakCampusInformation/​ucm241740.htm.

You may submit comments as follows:

Electronic Submissions

Submit electronic comments in the following way:

  • Federal eRulemaking Portal:​. Follow the instructions for submitting comments. Comments submitted electronically, including attachments, to​ will be posted to the docket unchanged. Because your comments will be made public, you are solely responsible for ensuring that your comments do not include any confidential information that you or a third party may not wish to be public, such as medical information, your or anyone else's Social Security number, or confidential business information, such as a manufacturing process. Please note that if you include your name, contact information, or other information that identifies you in the body of your comments, that information will be posted on​.
  • If you want to submit a comment with confidential information that you do not wish to be made available to the public, submit the comment as a written/paper submission and in the manner detailed (see “Written/Paper Submissions” and “Instructions”).

Written/Paper Submissions

Submit written/paper submissions as follows:

  • Mail/Hand delivery/Courier (for written/paper submissions): Division of Dockets Management (HFA-305), Food and Drug Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.
  • For written/paper comments submitted to the Division of Dockets Management, FDA will post your comment, as well as any attachments, except for information submitted, marked and identified, as confidential, if submitted as detailed in “Instructions.”

Instructions: All submissions received must include the Docket No. FDA-2017-N-1572 for “Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis.” Received comments, those filed in a timely manner (see DATES), will be placed in the docket and, except for those submitted as “Confidential Submissions,” publicly viewable at​ or at the Division of Dockets Management between 9 a.m. and 4 p.m., Monday through Friday.

  • Confidential Submissions—To submit a comment with confidential information that you do not wish to be made publicly available, submit your comments only as a written/paper submission. You should submit two copies total. One copy will include the information you claim to be confidential with a heading or cover note that states “THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION.” The Agency will review this copy, including the claimed confidential information, in its consideration of comments. The second copy, which will have the claimed confidential information redacted/blacked out, will be available for public viewing and posted on​. Submit both copies to the Division of Dockets Management. If you do not wish your name and contact information to be made publicly available, you can provide this information on the cover sheet and not in the body of your comments and you must identify this information as “confidential.” Any information marked as “confidential” will not be disclosed except in accordance with 21 CFR 10.20 and other applicable disclosure law. For more information about FDA's posting of comments to public dockets, see 80 FR 56469, September 18, 2015, or access the information at:​fdsys/​pkg/​FR-2015-09-18/​pdf/​2015-23389.pdf.

Docket: For access to the docket to read background documents or the Start Printed Page 19060electronic and written/paper comments received, go to​ and insert the docket number, found in brackets in the heading of this document, into the “Search” box and follow the prompts and/or go to the Division of Dockets Management, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852.

Start Further Info


Dinesh Patwardhan, Food and Drug Administration, Center for Devices and Radiological Health, 10903 New Hampshire Ave., Bldg. 64, Rm. 4076, Silver Spring, MD 20993, 301-796-2622, email:

End Further Info End Preamble Start Supplemental Information


I. Background

Regulatory Science is defined as the science of developing new tools, standards, and approaches to assess the safety, efficacy, quality, and performance of all FDA-regulated medical products. At the Center for Devices and Radiological Health (CDRH), regulatory science serves to accelerate improving the safety, effectiveness, performance, and quality of medical devices and radiation-emitting products, and to facilitate entry of innovative medical devices into the marketplace. The Regulatory Science Subcommittee of the CDRH Center Science Council assessed and prioritized the regulatory science gaps for medical devices based on input from CDRH Offices (​downloads/​MedicalDevices/​ScienceandResearch/​UCM467552.pdf). These new regulatory science scientific tools, technologies, and approaches form the bridge to critical 21st century advances in public health. Cybersecurity of medical devices was identified as one of the top 10 regulatory science gaps. FDA, NSF, and DHS S&T are therefore seeking input to create a framework to address the cybersecurity regulatory science gaps. The scope and nature of this cybersecurity regulatory science research framework is designed to be broad to foster collaboration across all interested stakeholders. The framework may include collaborative research conducted between federal agencies such as NSF, DHS S&T, academia, medical device industry, and third party experts and other organizations with input from FDA. The collaborative research may include one or more of the following settings:

1. Intramural cybersecurity research conducted within FDA;

2. Extramural cybersecurity research in collaboration with other federal agencies (e.g. DHS S&T); and

3. Collaborative long term cybersecurity research conducted among federal agencies, NSF, academia, medical device industry, and third party experts and organizations.

This public workshop is not designed to discuss FDA policy regarding cybersecurity of medical devices.

II. Topics for Discussion at the Public Workshop

The public workshop sessions are planned to include a number of short opening plenary talks, followed by multiple simultaneous working sessions organized by broad themes. Attendees are encouraged to participate in at least one working session of their choice providing unique views, insights, and challenges.

Following are a list of general topics that are planned to be included for discussion during the public workshop.

  • Relationship between medical device cybersecurity and patient safety;
  • Unique cybersecurity and regulatory challenges for medical devices;
  • Differences in cybersecurity between home care, large health care providers, and acute care settings (e.g., ambulance, emergency room);
  • The roles and intersection of information technology professionals and biomedical engineering staff;
  • Potential metrics, evaluation tools to test and quantify the cybersecurity of medical devices and systems;
  • Automated and manual tools for communicating cybersecurity information about medical device design and function;
  • Best practices for cybersecurity of medical devices at deployment and how to apply updates throughout the medical device lifecycle;
  • Human factor issues in cybersecurity of medical device development, deployment, and use of devices; and
  • Best practices in cybersecurity design, deployment, and post-deployment activities and procedures.

Additional suggested topics may be submitted at the time of registration.

Each break out session discussion may include following discussion elements: (1) Immediate cybersecurity challenges and potential solutions to facilitate entry of innovative medical devices into the marketplace; (2) Cybersecurity regulatory science gaps to which solutions can be developed through additional scientific research; and (3) Long-term cybersecurity research challenges which may need significant additional basic research.

III. Participating in the Public Workshop

Registration: To register for the public workshop, please visit FDA's Medical Devices News & Events—Workshops & Conferences calendar at​MedicalDevices/​NewsEvents/​WorkshopsConferences/​default.htm. (Select this public workshop from the posted events list.) Please provide complete contact information for each attendee, including name, title, affiliation, address, email, and telephone number.

Registration is free and based on space availability, with priority given to early registrants. Persons interested in attending this public workshop must register by May 4, 2017, by 4 p.m. Eastern Time. Early registration is recommended because seating is limited; therefore, FDA may limit the number of participants from each organization. Registrants will receive confirmation when they have been accepted. If time and space permit, onsite registration on the day of the public meeting/public workshop will be provided beginning at 8 a.m. We will let registrants know if registration closes before the day of the public meeting/public workshop.

If you need special accommodations due to a disability, please contact Susan Monahan, 301-796-5661, email:, no later than May 4, 2017.

Transcripts: Please be advised that as soon as a transcript of the plenary session portion of the public workshop is available, it will be accessible at​. It may be viewed at the Division of Dockets Management (see ADDRESSES). A link to the transcript will also be available on the Internet at​MedicalDevices/​NewsEvents/​WorkshopsConferences/​default.htm. (Select this public workshop from the posted events list).

Start Signature

Dated: April 20, 2017.

Leslie Kux,

Associate Commissioner for Policy.

End Signature End Supplemental Information

[FR Doc. 2017-08314 Filed 4-24-17; 8:45 am]