Share this article on:
On January 15, 2015, the Food and Drug Administration (FDA) released draft guidance on the Postmarket Management of Cybersecurity in Medical Devices. The guidance has been released for public comment and will be open for a comment period of 90 days.
The aim of the guidance is to help manufacturers of medical devices develop and implement controls to ensure their devices are secure to better protect patients. The guidance contains a number of steps manufacturers should follow to address cybersecurity vulnerabilities after devices have come to market to ensure the continuing safety of patients. These include the monitoring of devices, and conduction of risk assessments to identify security vulnerabilities after devices have come to market.
Manufacturers of medical devices must ensure cybersecurity protections are built into devices and are a central part of the design. It is not possible to eliminate all cybersecurity risks at the design phase. Cybersecurity risks may arise at any point in the lifecycle of the products. It is therefore essential that medical devices are constantly monitored for new security risks that could potentially be exploited by cybercriminals.
Medical Device Manufacturers Must Implement a Structured and Systematic Comprehensive Cybersecurity Risk Management Program
Any device that uses software and is allowed to connect to a healthcare network introduces risk, and it is essential that those risks are managed. In order to keep medical devices secure and address evolving cybersecurity risks, manufacturers must develop a cybersecurity risk management program. Device manufacturers must proactively plan to address future security risks, and the FDA has recommended the development of a “structured and systematic comprehensive cybersecurity risk management program.”
The risk management program should incorporate NIST’s Framework for Improving Critical Infrastructure Cybersecurity. The framework contains five core functions to address the ever changing risk landscape: Identify, Protect, Detect, Respond and Recover. Device manufacturers are expected to continuously monitor information sources in order to identify new cybersecurity risks. Those risks must be assessed in relation to the medical devices, and mitigations must be deployed to proactively address risk and protect patients before cybercriminals are able to exploit vulnerabilities.
Manufacturers must adopt coordinated vulnerability disclosure policies and practices, and develop mitigations that allow them to respond and recover from cybersecurity risk. In most cases the mitigations will involve the development and issuing of software updates and patches.
Manufacturers are expected to respond promptly when new risks are discovered, and are required to address serious vulnerabilities within 30 days of discovery. The guidance also outlines the reporting requirements when vulnerabilities are discovered.
According to Suzanne Schwartz, M.D., M.B.A., acting director of emergency preparedness/operations and medical countermeasures, “Today’s draft guidance will build on the FDA’s existing efforts to safeguard patients from cyber threats by recommending medical device manufacturers continue to monitor and address cybersecurity issues while their product is on the market.”
The FDA will be discussing the new guidance at its upcoming public workshop at FDA headquarters in Silver Spring, ML. The Workshop, “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity” will be taking place on January 20-21.
The FDA’s draft guidance can be downloaded here.