The FDA has issued a draft guidance that outlines important steps for medical device manufacturers to monitor, identify, and address post-market cybersecurity risks, according to an agency announcement. The guidelines seek to protect patients and public health from cybersecurity threats to medical devices — threats which are a growing concern to patient data and device effectiveness.
The FDA noted that the evolving nature of cyber threats means risks may arise throughout a device’s entire lifecycle and that manufacturers need to proactively plan for and to assess cybersecurity vulnerabilities—consistent with the FDA’s Quality System Regulation.
The draft guidance recommends that manufacturers should implement a structured and systematic comprehensive cybersecurity risk management program and respond in a timely fashion to identified vulnerabilities. Critical components of such a program should include:
- Applying the 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity, which includes the core principles of “Identify, Protect, Detect, Respond and Recover;”
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
- Understanding, assessing and detecting presence and impact of a vulnerability;
- Establishing and communicating processes for vulnerability intake and handling;
- Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk;
- Adopting a coordinated vulnerability disclosure policy and practice; and
- Deploying mitigations that address cybersecurity risk early and prior to exploitation.
“All medical devices that use software and are connected to hospital and healthcare organizations’ networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation,” said Suzanne Schwartz, MD, MBA, an associate director in the FDA’s Center for Devices and Radiological Health. “Today’s draft guidance will build on the FDA’s existing efforts to safeguard patients from cyber threats by recommending medical device manufacturers continue to monitor and address cybersecurity issues while their product is on the market.”