Last week FDA issued a draft guidance on cybersecurity, giving device manufacturers recommendations on how they should monitor, identify and address vulnerabilities in devices once they hit the market. The document, “Postmarket Management of Cybersecurity in Medical Devices”, specifies how companies should proactively plan for and evaluate security gaps in consistency with the quality system regulation, along with encouraging information sharing by participating in the Information Sharing Analysis Organization (a public-private sector group that exchanges cybersecurity information).
Experts will discuss cybersecurity at next month’s mHealth for Medical Device Manufacturers conference | REGISTER to attend February 3-4 in-person or virtually“All medical devices that use software and are connected to hospital and healthcare organizations’ networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation,” said Suzanne Schwartz, M.D., associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures at CDRH in an agency press release. “The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices. Only when we work collaboratively and openly in a trusted environment will we be able to best protect patient safety and stay ahead of cybersecurity threats.”
The agency recommends that manufacturers use a structured risk management program to be prepared for addressing vulnerabilities. The guidance document outlines the following important elements of the program:
- Apply the 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity
- Monitor cybersecurity information sources to identify risks and vulnerabilities
- Assess and detect vulnerabilities and their impact
- Establish and communicate processes for vulnerability intake and handling
- Define critical clinical performance to establish methods to protect against risks, as well as how to respond and recover from them
- Establish coordinated vulnerability disclosure policy
- Mitigate cybersecurity risk early, before exploitation
The public can make comments on the draft guidance for the next 90 days. It will also be discussed at the agency’s cybersecurity public workshop later this week.