FDA Taking Comments on Cybersecurity Guidance for Medical Device Manufacturers
"All medical devices that use software and are connected to hospital and health care organizations' networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation," said Dr. Suzanne Schwartz, M.D., M.B.A., associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in FDA's Center for Devices and Radiological Health.
The U.S. Food and Drug Administration is now accepting public comments on draft guidance it issued Jan. 22 outlining steps medical device manufacturers should take to continually address cybersecurity risks in order to keep patients safe and better protect the public health. The draft guidance details how FDA recommends the companies should monitor, identify, and address cybersecurity vulnerabilities in medical devices once they have entered the market.
"Cybersecurity threats to medical devices are a growing concern," according to the agency. "The exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices. While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats means risks may arise throughout a device's entire lifecycle."
"All medical devices that use software and are connected to hospital and health care organizations' networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation," said Dr. Suzanne Schwartz, M.D., M.B.A., associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in FDA's Center for Devices and Radiological Health.
The guidance outlines postmarket recommendations for medical device manufacturers, including the need to proactively plan for and assess cybersecurity vulnerabilities consistent with FDA's Quality System Regulation. The guidance recommends that manufacturers implement a structured, comprehensive cybersecurity risk management program. The guidance says critical components of such a program should include:
- Applying the 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity, which includes the core principles of "Identify, Protect, Detect, Respond and Recover"
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk
- Understanding, assessing, and detecting the presence and impact of a vulnerability
- Establishing and communicating processes for vulnerability intake and handling
- Clearly defining essential clinical performance to develop mitigations that protect, respond, and recover from the cybersecurity risk
- Adopting a coordinated vulnerability disclosure policy and practice
- Deploying mitigations that address cybersecurity risk early and prior to exploitation
"The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices," said Schwartz. "Only when we work collaboratively and openly in a trusted environment will we be able to best protect patient safety and stay ahead of cybersecurity threats."
FDA is accepting public comments for 90 days.