FDA Taking Comments on Cybersecurity Guidance for Medical Device Manufacturers

"All medical devices that use software and are connected to hospital and health care organizations' networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation," said Dr. Suzanne Schwartz, M.D., M.B.A., associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in FDA's Center for Devices and Radiological Health.

The U.S. Food and Drug Administration is now accepting public comments on draft guidance it issued Jan. 22 outlining steps medical device manufacturers should take to continually address cybersecurity risks in order to keep patients safe and better protect the public health. The draft guidance details how FDA recommends the companies should monitor, identify, and address cybersecurity vulnerabilities in medical devices once they have entered the market.

"Cybersecurity threats to medical devices are a growing concern," according to the agency. "The exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices. While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats means risks may arise throughout a device's entire lifecycle."

"All medical devices that use software and are connected to hospital and health care organizations' networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation," said Dr. Suzanne Schwartz, M.D., M.B.A., associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in FDA's Center for Devices and Radiological Health.

The guidance outlines postmarket recommendations for medical device manufacturers, including the need to proactively plan for and assess cybersecurity vulnerabilities consistent with FDA's Quality System Regulation. The guidance recommends that manufacturers implement a structured, comprehensive cybersecurity risk management program. The guidance says critical components of such a program should include:

  • Applying the 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity, which includes the core principles of "Identify, Protect, Detect, Respond and Recover"
  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk
  • Understanding, assessing, and detecting the presence and impact of a vulnerability
  • Establishing and communicating processes for vulnerability intake and handling
  • Clearly defining essential clinical performance to develop mitigations that protect, respond, and recover from the cybersecurity risk
  • Adopting a coordinated vulnerability disclosure policy and practice
  • Deploying mitigations that address cybersecurity risk early and prior to exploitation

"The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices," said Schwartz. "Only when we work collaboratively and openly in a trusted environment will we be able to best protect patient safety and stay ahead of cybersecurity threats."

FDA is accepting public comments for 90 days.

Product Showcase

  • AirChek Connect Sampling Pump

    Stay connected to your sampling with the SKC AirChek® Connect Sampling Pump! With its Bluetooth connection to PC and mobile devices, you can monitor AirChek Connect pump operation without disrupting workflow. SKC designed AirChek Connect specifically for all OEHS professionals to ensure accurate, reliable flows from 5 to 5000 ml/min and extreme ease of use. AirChek Connect offers easy touch screen operation and flexibility. It is quality built to serve you and the workers you protect. Ask about special pricing and a demo at AIHA Connect Booth 1003. 3

  • NoiseCHEK Personal Noise Dosimeter

    SKC NoiseCHEK is the easiest-to-use dosimeter available! Designed specifically for OEHS professionals, SKC NoiseCHEK offers the easiest operation and accurate noise measurements. Everything you need is right in your palm. Pair Bluetooth models to your mobile devices and monitor workers remotely with the SmartWave dB app without interrupting workflow. Careful design features like a locking windscreen, sturdy clip, large front-lit display, bright status LEDs, and more make NoiseCHEK the top choice in noise dosimeters. Demo NoiseCHEK at AIHA Connect Booth 1003. 3

  • Safety Knives

    The Safety Knife Company has developed a quality range of safety knives for all industries. Designed so that fingers cannot get to the blades, these knives will safely cut through cardboard, tape, strapping, shrink or plastic wrap or a variety of other packing materials. Because these knives have no exposed blades and only cut cardboard deep, they will not only protect employees against lacerations but they will also save product. The Metal Detectable versions have revolutionary metal detectable polypropylene knife bodies specifically for the food and pharmaceutical industries. This material can be detected and rejected by typical detection machines and is X-ray visible. 3

Featured

Webinars