Privacy & Information Security Law Blog

On January 7, 2025, the U.S. Food and Drug Administration (“FDA”) issued draft guidance, titled “Artificial Intelligence-Enabled Device Software Functions: Lifecycle Management and Marketing Submission Recommendations” (the “Guidance”), that addresses management of cybersecurity risks affecting AI-enabled devices.

The Guidance supplements the FDA’s more general 2023 guidance, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” which contains recommendations for medical device makers with respect to designing and maintaining cybersecurity, and providing cyber details to the FDA in premarket submissions.

According to the Guidance, cyber threats that can specifically affect AI-enabled devices include: data poisoning (i.e., deliberate injections of inauthentic or maliciously modified data); model inversion and theft to infer details from or replicate models; model evasion (e.g., crafting input samples to deceive models); data leakage; overfitting; model bias through manipulation of training data or other exploits; and manipulation that could lead to “model performance drift” by changing the underlying data distribution, which degrades model performance.

The Guidance also advises AI-driven device makers to provide the FDA with premarket submission details and develop mitigation and management plans to address cybersecurity risks.

In light of the recent change in the U.S. Presidency, changes and delays to the Guidance are anticipated. The Guidance is open for public comment until April 7, 2025.