FDA Taking Comments on Cybersecurity Guidance for Medical Device Manufacturers

"All medical devices that use software and are connected to hospital and health care organizations' networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation," said Dr. Suzanne Schwartz, M.D., M.B.A., associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in FDA's Center for Devices and Radiological Health.

The U.S. Food and Drug Administration is now accepting public comments on draft guidance it issued Jan. 22 outlining steps medical device manufacturers should take to continually address cybersecurity risks in order to keep patients safe and better protect the public health. The draft guidance details how FDA recommends the companies should monitor, identify, and address cybersecurity vulnerabilities in medical devices once they have entered the market.

"Cybersecurity threats to medical devices are a growing concern," according to the agency. "The exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices. While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats means risks may arise throughout a device's entire lifecycle."

"All medical devices that use software and are connected to hospital and health care organizations' networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation," said Dr. Suzanne Schwartz, M.D., M.B.A., associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in FDA's Center for Devices and Radiological Health.

The guidance outlines postmarket recommendations for medical device manufacturers, including the need to proactively plan for and assess cybersecurity vulnerabilities consistent with FDA's Quality System Regulation. The guidance recommends that manufacturers implement a structured, comprehensive cybersecurity risk management program. The guidance says critical components of such a program should include:

  • Applying the 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity, which includes the core principles of "Identify, Protect, Detect, Respond and Recover"
  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk
  • Understanding, assessing, and detecting the presence and impact of a vulnerability
  • Establishing and communicating processes for vulnerability intake and handling
  • Clearly defining essential clinical performance to develop mitigations that protect, respond, and recover from the cybersecurity risk
  • Adopting a coordinated vulnerability disclosure policy and practice
  • Deploying mitigations that address cybersecurity risk early and prior to exploitation

"The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices," said Schwartz. "Only when we work collaboratively and openly in a trusted environment will we be able to best protect patient safety and stay ahead of cybersecurity threats."

FDA is accepting public comments for 90 days.

Download Center

  • EHS Buyer's Guide

    Download this buyer's guide to make more informed decisions as you're looking for an EHS management software system for your organization.

  • Online Safety Training Buyer's Guide

    Use this handy buyer's guide to learn the basics of selecting online safety training and how to use it at your workplace.

  • COVID Return-to-Work Checklist, Fall 2021

    Use this checklist as an aid to help your organization return to work during the COVID-19 pandemic in a safe and healthy manner.

  • SDS Buyer's Guide

    Learn to make informed decisions while searching for SDS Management Software.

  • Risk Matrix Guide

    Risk matrices come in many different shapes and sizes. Understanding the components of a risk matrix will allow you and your organization to manage risk effectively.

  • Industry Safe

Featured Whitepapers

OH&S Digital Edition

  • OHS Magazine Digital Edition - September 2021

    September 2021

    Featuring:

    • COMBUSTIBLE DUST
      Managing Combustible Dust and Risk Mitigation
    • PPE: CONSTRUCTION
      The Rising Popularity of Safety Helmets on the Jobsite
    • PPE: ELECTRICAL SAFETY
      Five Tips for a Successful Wear Trial
    • SAFETY & HEALTH
      Medical Surveillance Versus Medical Screening
    View This Issue