When Does a Vulnerability Require Patching? Interpreting the FDA’s 2016 Postmarket Cybersecurity Guidance

Compliance and Regulation, ELTON

Summary

The FDA’s 2016 Postmarket Cybersecurity Guidance requires medical device manufacturers to patch or mitigate vulnerabilities that pose uncontrolled risk, are reasonably exploitable, and could lead to patient harm—typically within 60 days, with customer notification expected within 30 days. Not all vulnerabilities require fixes if risk is controlled or justified. ELTON supports these requirements by continuously evaluating exploitability, automating triage, tracking timelines, and providing audit-ready documentation to help manufacturers meet FDA expectations while avoiding unnecessary remediation.

In the world of connected medical devices, not every vulnerability demands a patch, and not every patch is the right response. The FDA’s 2016 Guidance on Postmarket Management of Cybersecurity in Medical Devices provides critical direction on how to determine when a vulnerability warrants mitigation and when it may be justifiably deferred. For manufacturers navigating regulatory compliance and patient safety, understanding this threshold is essential.

What the 2016 Guidance Says

The FDA defines a cybersecurity vulnerability as something that may affect the safety or essential performance of a medical device. According to the 2016 guidance, a vulnerability must be addressed if it meets all the following conditions:

  1. Uncontrolled Risk – The vulnerability presents a risk that is not already controlled by existing security features or design controls.

  2. Reasonably Probable Exploitation – There is a reasonable likelihood the vulnerability could be exploited, based on known attack surfaces or device exposure.

  3. Potential for Patient Harm – If exploited, the vulnerability could lead to patient harm, whether directly or indirectly through system compromise.

When these conditions are met, the FDA expects the manufacturer to act.

FDA Timeframes for Action

If the vulnerability poses uncontrolled risk and meets the FDA’s criteria, the manufacturer is expected to:

  • Communicate with customers and users within 30 days of identifying the vulnerability.

  • Mitigate the risk (e.g., patch, control, notification) within 60 days of detection.

These timeframes reflect the FDA’s emphasis on timely response and transparency, especially when patient safety may be affected. In addition, if the vulnerability qualifies as a reportable event under 21 CFR Part 806 (e.g., correction or removal due to risk), the FDA requires notification through the appropriate reporting channel.

When Patching Is Not Required

The guidance also makes clear that not all vulnerabilities require remediation. A manufacturer can justify not patching if:

  • The vulnerability is not exploitable in the device’s actual configuration or deployment context.

  • Existing mitigations already control the risk to acceptable levels.

  • The vulnerability has no impact on safety or essential performance.

  • Applying a patch would introduce greater risk than leaving the issue unaddressed (e.g., disrupting a critical therapy or requiring invasive procedures).

In such cases, justification must be documented, traceable, and continuously re-evaluated as new threats emerge.

How ELTON Helps You Comply

ELTON was built to help medical device manufacturers meet the 2016 FDA postmarket expectations with confidence. The platform continuously evaluates vulnerabilities based on product-specific architecture, dataflows, attack paths, and exploitability logic, not just generic CVE data.

Key capabilities include:

  • Automated triage and severity adjustment based on reachability and mitigations

  • Vulnerability chaining and threat simulation to assess patient impact

  • Audit-ready documentation of each finding, decision, and justification

  • Living tracking records to detect when a previously non-exploitable issue becomes risky due to new threat intelligence

ELTON also tracks and reports against FDA-recommended timelines, alerting teams when the 30- and 60-day windows are approaching and ensuring traceability for communication, CAPA, and reporting obligations.

Final Takeaway

Under the FDA’s 2016 Postmarket Cybersecurity Guidance, the decision to patch is about risk, impact, and timing, not just the presence of a CVE. ELTON enables manufacturers to identify, evaluate, and act on vulnerabilities quickly and defensibly, while reducing the noise and cost of over-triaging issues that don’t matter.

When every day counts, ELTON keeps your products compliant, secure, and ready for inspection.

Insights

Get the Latest Security Insights

Our security experts regularly share insights and updates from the field. View More Insights

ELTON vulnerability identifier

Intelligence is Compliance

ELTON is powered by insights from over a decade of medical device expertise and 600+ FDA-approved submissions.

Meet ELTON