FDA Taking Comments on Cybersecurity Guidance for Medical Device Manufacturers

"All medical devices that use software and are connected to hospital and health care organizations' networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation," said Dr. Suzanne Schwartz, M.D., M.B.A., associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in FDA's Center for Devices and Radiological Health.

The U.S. Food and Drug Administration is now accepting public comments on draft guidance it issued Jan. 22 outlining steps medical device manufacturers should take to continually address cybersecurity risks in order to keep patients safe and better protect the public health. The draft guidance details how FDA recommends the companies should monitor, identify, and address cybersecurity vulnerabilities in medical devices once they have entered the market.

"Cybersecurity threats to medical devices are a growing concern," according to the agency. "The exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices. While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats means risks may arise throughout a device's entire lifecycle."

"All medical devices that use software and are connected to hospital and health care organizations' networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation," said Dr. Suzanne Schwartz, M.D., M.B.A., associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in FDA's Center for Devices and Radiological Health.

The guidance outlines postmarket recommendations for medical device manufacturers, including the need to proactively plan for and assess cybersecurity vulnerabilities consistent with FDA's Quality System Regulation. The guidance recommends that manufacturers implement a structured, comprehensive cybersecurity risk management program. The guidance says critical components of such a program should include:

  • Applying the 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity, which includes the core principles of "Identify, Protect, Detect, Respond and Recover"
  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk
  • Understanding, assessing, and detecting the presence and impact of a vulnerability
  • Establishing and communicating processes for vulnerability intake and handling
  • Clearly defining essential clinical performance to develop mitigations that protect, respond, and recover from the cybersecurity risk
  • Adopting a coordinated vulnerability disclosure policy and practice
  • Deploying mitigations that address cybersecurity risk early and prior to exploitation

"The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices," said Schwartz. "Only when we work collaboratively and openly in a trusted environment will we be able to best protect patient safety and stay ahead of cybersecurity threats."

FDA is accepting public comments for 90 days.

Download Center

HTML - No Current Item Deck
  • Free Safety Management Software Demo

    IndustrySafe Safety Management Software helps organizations to improve safety by providing a comprehensive toolset of software modules to help businesses identify trouble spots; reduce claims, lost days, OSHA fines; and more.

  • Easy to Use Safety Incident App

    Record incidents on the go with IndustrySafe’s mobile app. Collect data for multiple types of incidents including including near misses, vehicle and environmental incidents, and employee and non-employee injuries; at job sites and remote locations—with or without web access.

  • Safety Training 101

    When it comes to safety training, no matter the industry, there are always questions regarding requirements and certifications. IndustrySafe is here to help. We put together a resource that’s easy to digest so you can get answers to your training questions and ensure you're complying with OSHA's standards.

  • Conduct EHS Inspections and Audits

    Record and manage your organization’s inspection data with IndustrySafe’s Inspections module. IndustrySafe’s pre-built forms and checklists may be used as is, or can be customized to better suit the needs of your organization.

  • Track Key Safety Performance Indicators

    IndustrySafe’s Dashboard Module allows organizations to easily track safety KPIs and metrics. Gain increased visibility into your business’ operations and safety data.

  • Industry Safe
comments powered by Disqus