Twitter Google +1 Facebook LinkedIn Share this page RSS


Drug / Device Law Blog Legal updates, news, and commentary from the attorneys of Baker Sterchi Cowden & Rice LLC

FDA – Postmarket Management of Cybersecurity in Medical Devices

June 5, 2017 | Suzanne Billam

It seems almost impossible in today’s world to escape our dependence on technology. From the minute we wake-up in the morning, we access news reports on our tablets, keep track of our health with fitness trackers, receive and respond to e-mails on our mobile phones, and many of us rely upon interconnected medical devices, such as insulin pumps, to safely navigate through a typical day.  But such convenience is not without risk. 

Medical devices, like all interconnected technology, can be vulnerable to security breaches, which “may compromise the essential clinical performance of a device” and potentially impact patient safety.  The Food and Drug Administration (“FDA”) thoroughly understands this benefit v. risk balance, and has issued a number of recommendations that address comprehensive cybersecurity over the lifecycle of medical device products.  Most recently, on December 27, 2016, the FDA issued its final Guidance on Postmarket Management of Cybersecurity in Medical Devices.  The recommendations apply to medical devices that use software, including programmable logic and software that is regulated as a medical device, including mobile medical apps.  You can link to the full text of the Guidance here.  This final Guidance closely resembles a draft of the document, issued for comment almost a year prior.  For more details on our take of the draft Guidance, see our prior series “FDA Issues Draft Guidance Document for Postmarket Management of Cybersecurity in Medical Devices” posted in four parts here, here, here, and here.  This Postmarket Guidance also follows the FDA’s Guidance on medical device premarket cybersecurity, issued in October 2014, discussed in more detail here.

The final Guidance outlines steps that medical device manufacturers and health care systems should take to monitor, identify, understand and address cybersecurity risks once medical devices and mobile medical devices have entered the marketplace.  Yet, don’t allow the “guidance” nature of the document fool you into believing its recommendations are optional, as the FDA takes the position that manufacturers are required to ensure the safety and efficacy of their medical devices, and should they choose not to follow this guidance, the device vendor must have in place another similar cybersecurity strategy in order to avoid regulatory scrutiny.

From this Guidance emerges two predominant concepts: 1) the Guidance, like its predecessor draft and the 2014 Premarket Guidance, follows a risk-based approach, i.e., guiding manufacturers to identify, assess, and mitigate risks that emerge after the device has been introduced to market; and 2) medical device cybersecurity and cybersecurity risk management must be proactively addressed throughout the entire lifestyle of a product, and is a shared responsibility among stakeholders including health care facilities, patients, providers, and manufacturers of medical devices.”[1]  In other words, cybersecurity controls should be incorporated into the design, development and manufacture of a device.  But after marketing and during patient use, the device should be continuously monitored, and cybersecurity concerns addressed.

As Suzanne B. Schwartz, the FDA’s associate director for science and strategic partnerships, stated in a blog post concurrent with the issuance of the Guidance itself, “[w]ith this guidance, we now have an outline of steps the FDA recommends manufacturers take to remain vigilant and continually address the cybersecurity risks of marketed medical devices.”[2]  “This approach enables manufacturers to focus on continuous quality improvement, which is essential to ensuring the safety and effectiveness of medical devices at all stages in the device’s lifecycle.”[3]  Essential to the FDA’s recommendations is the belief that device manufacturers implement comprehensive cybersecurity risk management programs and documentation which emphasizes “addressing vulnerabilities which may permit the unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient, and may result in patient harm. Manufacturers should respond in a timely fashion to address identified vulnerabilities.”[4]

Critical components of such a program include:

  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
  • Maintaining robust software lifecycle processes that include mechanisms for: 
    • monitoring third party software components for new vulnerabilities throughout the device’s total product lifecycle;
    • design verification and validation for software updates and patches that are used to remediate vulnerabilities, including those related to Off-the-shelf software;
  • Understanding, assessing and detecting presence and impact of a vulnerability;
  • Establishing and communicating processes for vulnerability intake and handling
  • Note: The FDA has recognized ISO/IEC 30111:2013: Information Technology – Security Techniques – Vulnerability Handling Processes;
  • Using threat modeling to clearly define how to maintain safety and essential performance of a device by developing mitigations that protect, respond and recover from the cybersecurity risk;
  • Adopting a coordinated vulnerability disclosure policy and practice. The FDA has recognized ISO/IEC 29147:2014: Information Technology – Security Techniques – Vulnerability Disclosure which may be a useful resource for manufacturers; and
  • Deploying mitigations that address cybersecurity risk early and prior to exploitation.[5]

It is further recommended that the program incorporate elements consistent with the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (i.e., Identify, Protect, Detect, Respond, and Recover).  For more details on these concepts, please see our previous discussion, which can be found here.

Perhaps more important than the shared responsibility of risk mitigation in cybersecurity among all stakeholders, is the concept that, in the FDA’s view, cybersecurity risk management should revolve around assessing therisk to the device’s essential clinical performance, which focuses on assessing the risk of patient harm.[6]  As the Guidance explains, “[a] key purpose of conducting the cyber-vulnerability risk assessment is to evaluate whether the risk of patient harm is controlled (acceptable) or uncontrolled (unacceptable). One method of assessing the acceptability of risk involves using a matrix with combinations of “exploitability” and “severity of patient harm” to determine whether the risk of patient harm is controlled or uncontrolled.”[7]  This focus is achieved by considering:

(1)   The exploitability of the cybersecurity vulnerability, and

(2)   The severity of patient harm if the vulnerability were to be exploited.[8]

Such risk is to be assessed according to these two considerations on a sliding scale, which ranges from a controlled risk (low probability of a cybersecurity exploit with little impact on patient health) to an uncontrolled risk (high probability of an exploited vulnerability that seriously threatens patient safety or even patient death).  While in some cases the evaluation will yield a definite determination of controlled or uncontrolled, the possibility remains that not all situations will produce such distinct results.[9]

The Guidance provides that manufacturers should have processes for assessing the exploitability of a cybersecurity vulnerability as well as the severity of patient harm, if the cybersecurity vulnerability were to be exploited. The FDA suggests using a cybersecurity vulnerability assessment tool or similar scoring system for rating vulnerabilities and determining the need for and urgency of the response, such as the “Common Vulnerability Scoring System,” Version 3.0.[10]  Many adequate methodologies may be utilized to analyze the potential severity of patient harm, yet the Guidance highlights an approach based on qualitative severity levels as described in ANSI/AAMI/ISO 14971: 2007/(R)2010: Medical Devices – Application of Risk Management to Medical Devices.[11]  These levels range from Negligible (inconvenience or temporary discomfort) to Catastrophic (resulting in patient death).

The figure below shows the relationship between exploitability and severity of patient harm, and can be used to categorize the risk of patient harm as controlled or uncontrolled.[12]


While the FDA clearly distinguishes between a controlled risk and uncontrolled risk, even its illustrative chart above shows a large gray area of in-between, further acknowledging that it will not always be clear in which category the risk belongs.

The FDA Guidance then sets forth recommended proper responses to controlled and uncontrolled risks.  Controlled risk scenarios involve relatively minor issues, where there is sufficiently low (acceptable) risk of patient harm.  However, manufacturers are still encouraged to proactively promote good cyber hygiene and reduce cybersecurity risks even when residual risk is acceptable.[13]  Uncontrolled risks, on the other hand, require immediate intervention and remediation, and must be reported under 21 CFR part 806, unless:           

(1)   There are no known serious adverse events or deaths associated with the vulnerability;

(2)   The manufacturer communicates with its customers and user community regarding the vulnerability, identifies interim compensating controls, and develops a remediation plan to bring the risk to an acceptable level, as soon as possible, but no later than 30 days after learning of the vulnerability;

(3)   The manufacturer fixes the vulnerability, validates the change, and distributes the deployable fix to its customers and user community within 60 days; and,

(4)   The manufacturer actively participates as a member of an Information Sharing Analysis Organization or “ISAO.”[14]

Like its draft before it, the final Guidance additionally contains an essential practical element in its Appendix: “Elements of an Effective Postmarket Cybersecurity Program.”  The Appendix encompasses the totality of the FDA’s recommendations, in an easy to follow five-prong framework, consistent with the elements of the NIST Framework for Improving Critical Infrastructure Cybersecurity.  These prongs are: A) Identify, B) Protect/Detect, C) Protect/Respond/Recover, and D) Risk Mitigation of Safety and Essential Performance.[15]

All medical devices come with both risks and benefits.  While it may not always be clear whether a particular risk is categorized as controlled or uncontrolled, the FDA has been explicitly clear in both its Premarket and Postmarket Guidances that comprehensive cybersecurity and risk analysis must be addressed over the lifecycle of medical device products, keeping a primary focus on the risk of patient harm.

[1] Guidance, at 12.


[3] Id.

[4] Guidance, at 13.

[5] Guidance, at 13-14.

[6] Guidance, at 15 (emphasis in original).

[7] Guidance, at 17.

[8] Guidance, at 15.

[9] Guidance, at 17.

[10] For more details, see “Common Vulnerability Scoring System,” Version 3.0: Specification Document (

[11] Guidance, at 17.

[12] Guidance, at 18.

[13] Guidance, at 19.

[14] Guidance, at 22-23.

[15] Guidance, at 27-30.

Federal Judge Clobbers Claims in a Class III Medical Device Case

May 22, 2017 | Jeffery Kruse

Talk about a one-two punch. First, federal question jurisdiction kept a medical device case in federal court.  And then came the knock-out blow: a federal judge in North Carolina ruled that federal preemption barred all of the state law claims against the medical device companies.  In Burrell v. Bayer Corp., U.S Dist. LEXIS 38769 (W.D. N.C. March 17, 2017) (Burrell I), Judge Max O. Cogburn, Jr. retained jurisdiction over the medical device related lawsuit based on federal question jurisdiction.  In a subsequent order, Judge Cogburn granted Bayer’s motion to dismiss plaintiff’s claims because federal law preempts those claims.  Burrell v. Bayer Corp., U.S Dist. LEXIS 71374 (W.D. N.C. May 10, 2017) (Burrell II). 

The plaintiff in Burrell alleged she was injured as a result of her use of an Essure birth control device.  The Essure device is a Class III medical device approved by the FDA through the pre-market approval process.  Plaintiff sued various Bayer entities, as well as local doctors for malpractice to defeat diversity jurisdiction.  Bayer removed the case to federal court arguing it belonged there because of federal question jurisdiction.  As evidenced by the inclusion of local defendants in her Complaint, plaintiff did not want the case in federal court and, thus, filed a motion to remand.

But the plaintiff’s Complaint was “replete with references to the FDA” and included numerous allegations “that the defendants violated the federal requirements of the Federal Food, Drug & Cosmetic Act (FDCA).”  Burrell I, at *4-5.  Because plaintiff’s Complaint “necessarily raise[d] federal issues,” Judge Cogburn concluded it was “properly a case that ‘arises from’ federal law, as the MDA was passed by Congress to govern the safety and effectiveness of Class III medical devices.”  Id. at *11.  He therefore retained jurisdiction over the case and denied plaintiff’s motion to remand.  Id.

Just under two months later, Judge Cogburn delivered the knockout punch by granting Bayer’s motion to dismiss.  Before delivering the decisive blow, though, Judge Cogburn had to block plaintiff’s counter punch – a motion to reconsider the remand denial order.  In Burrell II, plaintiff tried again to convince Judge Cogburn that he should remand the case to state court.  Judge Cogburn had no trouble crushing plaintiff’s reconsideration attack.  For her reconsideration argument, the plaintiff relied on a 2005 Fourth Circuit case for the proposition that:

“[A] preemption defense that raises a federal question is inadequate to confer federal jurisdiction. Again, a case may not be removed to federal court on the basis of a federal defense, including the defense of preemption," even if the complaint begs the assertion of the defense, and even if the defense is the only question truly at issue in the case.

Burrell II, at *8-9 quoting Pinney v. Nokia, Inc., 402 F.3d 430, 446 (4th Cir. 2005).

But Judge Cogburn easily rebuffed the reconsideration wrangle by distinguishing Burrell from Pinney. While federal law “was ‘lurking’ as a question in the background” in Pinney, in Burrell II, “[b]y plaintiff’s own admission,” she alleged violations of the FDCA as part of her state law claims and thus her Complaint met the requirements for federal jurisdiction.  Motion for reconsideration denied.

After successfully deflecting plaintiff’s reconsideration left hook, Judge Cogburn led with a little jab about preemption.  Usually, when a judge begins a preemption discussion by noting that “Federal law generally recognizes a presumption against preemption,” the defendant can expect a body blow at the end of the discussion.  Thankfully, that was not what happened in Burrell II.  Instead, Judge Cogburn followed the jab with the express and implied preemption combination by noting that “the task of avoiding express and implied preemption is a difficult one.”  Burrell II.  He then thoroughly analyzed plaintiff’s claims and concluded federal law preempted all of the claims against the Bayer defendants.

Negligent Failure to Warn Claims

Plaintiff alleged the Bayer defendants were negligent by failing to warn of adverse events relating to Essure and that they “were under a continuing duty to comply with requirements” in the FDA’s pre-market approval of Essure.  On this point, the court agreed with the plaintiff. Burrell II at *12. But that agreement also meant federal law preempted plaintiff’s negligence claims because “plaintiff’s cause of action is being brought because the Bayer defendants allegedly failed to meet those reporting requirements.”  Id. at *12-13.

To insure the negligent failure to warn claims remained knocked out, as an added bonus, Judge Cogburn also ruled that “plaintiff cannot support a finding of causation” for those warnings claims.  Id. at * 13.  Judge Cogburn explained that by the time the plaintiff in Burrell received her device, “the FDA had the related information regarding the adverse event reports mentioned by plaintiff.”  Id. Thus, in addition to being a preempted claim, Judge Cogburn found that plaintiff “failed to show that the failure-to-warn caused her injuries.”  Id.

Negligent Failure to Train Claims

In addition to her negligent failure-to-warn claims, plaintiff also asserted claims that the Bayer Defendants failed to train the implanting physician about how “to implant the device, deal with potential complications, and remove the device.” Id. at *14.  Judge Cogburn quickly dispensed with plaintiff’s failure-to-train combination.  Federal law preempted plaintiff’s negligent training claim because plaintiff’s claim “imposes a duty that is beyond the confines of the MDA.” Id.  But on the downside, Judge Cogburn noted that such a claim could survive a preemption attack “to the extent that the manufacturer failed to provide the training required by the MDA.”  Id.  However, plaintiff’s Complaint did “not provide information as to how the training violated the FDA’s requirements or how her physician was trained.”  Id. at *14-15.  Due to lack of information on that point, federal law preempted the claim.

As with the negligent warning claims, Judge Cogburn also found plaintiff failed to provide sufficient facts to establish that any training failure caused her injuries.  Thus, in addition to being preempted, the negligent training claims failed for lack of causation.

Manufacturing Defect Claims

Judge Cogburn also knocked aside plaintiff’s weak attempt at throwing a manufacturing defect punch.  Although the plaintiff alleged her Essure was “manufactured improperly,” she did not link “any manufacturing deficiency to the device that [she] received and how it caused the alleged injuries.”  Id. at *16.  Thus, her manufacturing defect claim failed.

Design Defect Claim

Judge Cogburn parried plaintiff’s product liability claim as well. To the extent plaintiff argued that Essure suffered from a design defect, federal law expressly preempted those claims.  In brushing aside the design defect claim, Judge Cogburn simply noted that “The FDA made its determination [about the] safety and effectiveness” of the Essure and therefore “these design defect claims are preempted.”  Id. at 17.

Breach of Warranty Claims

Judge Cogburn blasted the breach of warranty claims.  The plaintiff alleged the Bayer defendants “expressly warranted Essure to be safe for use by the general public, including Plaintiff” and that the “warranties and representations ‘were untrue in that Essure was unsafe and unsuited for the use for which it was intended.’” Id. at *18.  In short, Judge Cogburn noted that “Congress provided the FDA with the authority to regulate the safety and effectiveness of Class III medical devices.”  So, he dismissed the breach of warranty claims.

Fraud and Unfair Trade Practices Claims

Finally, with all other claims against Bayer flat on the mat, Judge Cogburn crushed plaintiff’s unfair and deceptive trade practices claims.  Judge Cogburn noted that the “allegations largely repackage the allegations” he already dismissed and that “several of the alleged misrepresentations are indistinguishable from FDA-approved labeling statements.”  Id. at *19-20.  Plaintiff’s allegations of “deviations from the FDA-approved language” were insufficient to “support a claim based on fraudulent behavior or unfair trade practices.”  Id. at *20.  Federal law preempted those claims.

Medical Malpractice Claims

After knocking out all of the plaintiff’s claims against the Bayer defendants, Judge Cogburn came full circle and turned his attention to the medical malpractice claims against the local defendants.  Plaintiff eventually got her wish – the case will not remain in federal court.  Judge Cogburn declined to exercise supplemental jurisdiction over the medical malpractice claims and dismissed those claims pursuant to 28 U.S.C. § 1367(c)(3) so plaintiff could reassert those claims in state court.

Post Bout Summary

Under Riegel v. Medtronic, Inc., 552 U.S. 313, 128 S. Ct. 999 (2008), plaintiffs in Class III medical device cases have a “narrow window” through which they must plead when attempting to state “parallel claims.”  Judge Cogburn’s orders in this case provide great training roadmaps for knocking out claims in Class III medical device cases when plaintiffs allege violations of the FDCA or FDA regulations.  Bayer used a great combination of federal question jurisdiction and preemption arguments to flatten plaintiff’s claims in this Class III medical device case.  Bayer made the arguments, and Judge Cogburn delivered the epic knockout.

Indiana Judge Relies on Bausch to Bounce Preemption Motion

May 15, 2017 | Jeffery Kruse

The old adage “location, location, location” applies as much for medical device preemption as it does for real estate. Despite acknowledging that the plaintiff’s Amended Complaint “would likely not survive a motion to dismiss if this case was pending in a court in the Eighth Circuit (or perhaps the Eastern District of New York),” an Indiana federal judge recently denied Medtronic’s motion to dismiss the Amended Complaint in Cavender v. Medtronic, Inc. (Cavender II), 2017 U.S. Dist. LEXIS 57376 (N.D. Ind. Apr. 14, 2017). 

As frequently happens in cases involving pre-market approved medical devices, the court dismissed the initial complaint.  He dismissed the initial Complaint because it was “nothing more than the sort of “unadorned, the-defendant-unlawfully-harmed-me accusation” and was “still in the ‘assembly required’ stage.” Cavender v. Medtronic, Inc. (Cavender I), 2016 U.S. Dist. LEXIS 154540 *20-21 (N.D. Ind. Nov. 8, 2016).  But, just as many other courts do, the judge in this case, Judge William C. Lee, granted the motion to dismiss without prejudice and gave the plaintiff another chance to try to plead a valid claim.

In Cavender I, the plaintiff alleged that her implantable cardioverter defibrillator malfunctioned and injured her.  She filed her initial complaint “apparently asserting product liability, breach of warranty and negligence claims against Medtronic.”  Cavender I, at *2.  Judge Lee’s first task in Cavender I was to determine whether the Indiana Product Liability Act (IPLA) preempted and subsumed plaintiff’s attempted product liability claims.  Judge Lee concluded that the IPLA subsumed the negligence and product defect claims. 

However, plaintiff’s complaint lacked specifics and was “nothing more than the sort of ‘unadorned, the-defendant-unlawfully-harmed-me accusation’” which was “chock-full of keywords that imply” that the plaintiff was “attempting to assert various product liability claims.” Id. at *20.  Because the plaintiff’s complaint “need[ed] work” and was “still in the ‘assembly required’ stage,” Judge Lee gave plaintiff another chance to plead valid claims.  Id. at *21-22 and 37. 

In his order in Cavender I, Judge Lee offered guidance for what plaintiff needed to do to plead valid claims.  For example, in response to Medtronic’s argument that federal law preempts plaintiff’s claims, Judge Lee noted that the Complaint “is completely devoid of any facts whatsoever that would even imply that she is alleging a violation of federal law.”  Id. at *28.  Judge Lee advised the plaintiff that the “amended complaint will clarify this issue also.”  Id. at 29.

Rather than directly clarifying the issue as instructed by Judge Lee, in the Amended Complaint, the plaintiff switched which device she was claiming caused her injury.  In the initial Complaint, she vaguely alleged that a defibrillator malfunctioned and injured her.  Id. at *2.  In the Amended Complaint, she copied allegations from the Master Consolidated Complaint in the Sprint Fidelis Leads Prods. Liab. Litig. MDL and alleged a separate device, a Sprint Fidelis lead, caused her injuries.  

Plaintiff copied the allegations from the Sprint Fidelis Leads Prods. Liab. Litig. MDL even though the MDL judge dismissed those claims with prejudice at the pleading stage. See In re Medtronic, Inc. Sprint Fidelis Leads Prods. Liab. Litig., 592 F.Supp.2 1147 (D. Minn. 2009) (dismissing the Master Complaint because federal law preempted the negligence and strict liability claims) aff’d Bryant v. Medtronic, Inc. (In re: Medtronic, Inc., Sprint Fidelis Leads Prods. Liab. Litig, 623 F.3d 1200 (8th Cir. 2010). 

By copying the preexisting and previously dismissed complaint, the plaintiff added more detail than in her initial complaint.  Judge Lee noted that:

[W]hile the claims contained in her original Complaint were barely discernible, they now jump vividly off the page in full regalia, all because they are clothed in language taken—largely verbatim—from another complaintfiled against Medtronic that was summarily dismissed by another district court eight years ago. Id. at *8-9.

Despite the product switcheroo and the blatant copying of a previously dismissed complaint, in Cavender II, Judge Lee concluded that the Seventh Circuit’s decision in Bausch v. Stryker Corp., 630 F.3d 546 (7th Cir. 2010), “precludes dismissal of Cavender’s IPLA claim at this point and the motion to dismiss must be denied as to the issue of federal preemption of that claim.”  Cavender at *33. 

Judge Lee noted that the Seventh Circuit in Bausch agreed with the dissent in the Eighth’s Circuit’s decision affirming the dismissal of the Master Complaint in the Sprint Fidelis Leads Prods. Liab. Litig. MDL. In short, “the Seventh Circuit took a decidedly different approach to the issue of MDA preemption as it applies to state law claims.”  Cavender II at *26-27.  Thus, according to Judge Lee, “the Bausch decision mandates that [plaintiff] be permitted, at this juncture, to proceed with that claim notwithstanding the preemption clause in the MDA.” Id. at *38.

One other aspect of Judge Lee’s order is noteworthy.  The plaintiff argued that because preemption is an affirmative defense, that she should not have to "defend" against an affirmative defense at this stage, thus the Court should not consider the defense as a basis for dismissal.”  Id. at n.5 *21.  Medtronic did not take issue with “that statement of the law” and Judge Lee declared that plaintiff was “correct, of course.”  Id. Rather than take issue with the statement of law, Medtronic argued that because the plaintiff copied and pasted the very detailed, dismissed MDL complaint relating to this Lead[,]" she has, "[u]nder Seventh Circuit law . . . pled enough facts for the Court to consider the affirmative defense of preemption."  Id. Because Judge Lee concluded that the Bausch decision precluded preemption at the pleading stage in this case, he determined that the issue was “rendered irrelevant.”  Id. 

Judge Lee’s order is yet another example of how the Bausch decision continues to cause problems for medical device makers at the motion to dismiss phase in cases in the Seventh Circuit.  The plaintiff in Cavender II simply copied allegations the Eighth Circuit had already dismissed as preempted.  But because of the overly permissive language of Bausch, those same claims survive the motion to dismiss in the Seventh Circuit.  Medtronic’s preemption argument may very well prevail at the summary judgment stage, but only after spending on unnecessary litigation expenses.

About Drug / Device Law Blog

The BSCR Drug / Device Law Blog examines topics and legal developments of interest to the drug and device industry. Learn more about the editor, Angela Higgins, and our Drug and Device practice.


The Drug / Device Law Blog is made available by Baker Sterchi Cowden & Rice LLC for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your use of this blog site alone creates no attorney client relationship between you and the firm.


Do not include confidential information in comments or other feedback or messages related to the Drug / Device Law Blog, as these are neither confidential nor secure methods of communicating with attorneys. The Drug / Device Law Blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.