FDA Taking Comments on Cybersecurity Guidance for Medical Device Manufacturers

"All medical devices that use software and are connected to hospital and health care organizations' networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation," said Dr. Suzanne Schwartz, M.D., M.B.A., associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in FDA's Center for Devices and Radiological Health.

The U.S. Food and Drug Administration is now accepting public comments on draft guidance it issued Jan. 22 outlining steps medical device manufacturers should take to continually address cybersecurity risks in order to keep patients safe and better protect the public health. The draft guidance details how FDA recommends the companies should monitor, identify, and address cybersecurity vulnerabilities in medical devices once they have entered the market.

"Cybersecurity threats to medical devices are a growing concern," according to the agency. "The exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices. While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats means risks may arise throughout a device's entire lifecycle."

"All medical devices that use software and are connected to hospital and health care organizations' networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation," said Dr. Suzanne Schwartz, M.D., M.B.A., associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in FDA's Center for Devices and Radiological Health.

The guidance outlines postmarket recommendations for medical device manufacturers, including the need to proactively plan for and assess cybersecurity vulnerabilities consistent with FDA's Quality System Regulation. The guidance recommends that manufacturers implement a structured, comprehensive cybersecurity risk management program. The guidance says critical components of such a program should include:

  • Applying the 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity, which includes the core principles of "Identify, Protect, Detect, Respond and Recover"
  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk
  • Understanding, assessing, and detecting the presence and impact of a vulnerability
  • Establishing and communicating processes for vulnerability intake and handling
  • Clearly defining essential clinical performance to develop mitigations that protect, respond, and recover from the cybersecurity risk
  • Adopting a coordinated vulnerability disclosure policy and practice
  • Deploying mitigations that address cybersecurity risk early and prior to exploitation

"The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices," said Schwartz. "Only when we work collaboratively and openly in a trusted environment will we be able to best protect patient safety and stay ahead of cybersecurity threats."

FDA is accepting public comments for 90 days.

Download Center

  • Lone Worker Safety Guide

    As organizations digitalize and remote operations become more commonplace, the number of lone workers is on the rise. These employees are at increased risk for unaddressed workplace accidents or emergencies. This guide was created to help employers better understand common lone worker risks and solutions for lone worker risk mitigation and incident prevention.

  • Online Safety Training Buyer's Guide

    Use this handy buyer's guide to learn the basics of selecting online safety training and how to use it at your workplace.

  • COVID Return-to-Work Checklist, Fall 2021

    Use this checklist as an aid to help your organization return to work during the COVID-19 pandemic in a safe and healthy manner.

  • SDS Buyer's Guide

    Learn to make informed decisions while searching for SDS Management Software.

  • Risk Matrix Guide

    Risk matrices come in many different shapes and sizes. Understanding the components of a risk matrix will allow you and your organization to manage risk effectively.

  • Industry Safe

Featured Whitepapers

OH&S Digital Edition

  • OHS Magazine Digital Edition - October 2021

    October 2021

    Featuring:

    • TRAINING
      On Route To Safe Material Handling
    • SAFETY CULTURE
      Normalization of Deviations in Performance
    • IH:INDOOR AIR QUALITY
      Arresting Fugitive Dusts
    • PPE:FOOT PROTECTION
      Safety Shoes Make the Outfit for Well-Protected Workers
    View This Issue