FDA Releases Draft Guidance For Medical Device Cybersecurity

By Christine Kern, contributing writer

The new guidelines address post-market management of cybersecurity vulnerabilities.

New draft guidance from the Food and Drug Administration addresses steps manufacturers must follow to ensure their medical devices are protected against cyberattacks. According to the guidelines, device makers must not only establish design inputs related to cybersecurity, they must also address post-market threats that could emerge after the product has been marketed.

“All medical devices that use software and are connected to hospital and health care organizations’ networks have vulnerabilities — some we can proactively protect against, while others require vigilant monitoring and timely remediation,” Suzanne Schwartz, M.D., M.B.A., associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health, explained in a statement.

“Today’s draft guidance will build on the FDA’s existing efforts to safeguard patients from cyber threats by recommending medical device manufacturers continue to monitor and address cybersecurity issues while their product is on the market.”

The new draft guidance outlines recommendations including the proactive planning and assessment of cybersecurity vulnerabilities, consistent with the FDA’s Quality System Regulation, and also addresses information sharing as a vital part of the process via an Information Sharing Analysis Organization (ISAO). Further, the guidance recommends the implementation of a structured and systematic comprehensive cybersecurity risk management program and that they respond to identified vulnerabilities in a timely fashion.

According to the statement, the critical components of such a program should include:

• applying the 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity, which includes the core principles of “Identify, Protect, Detect, Respond and Recover;”
• monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
• understanding, assessing and detecting presence and impact of a vulnerability;
• establishing and communicating processes for vulnerability intake and handling;
• clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk;
• adopting a coordinated vulnerability disclosure policy and practice; and
• deploying mitigations that address cybersecurity risk early and prior to exploitation.

“The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices,” said Schwartz. “Only when we work collaboratively and openly in a trusted environment, will we be able to best protect patient safety and stay ahead of cybersecurity threats.”