Earlier this week, the US Food and Drug Administration (FDA) released a draft guidance document detailing measures to be taken by medical device manufacturers, in order to ensure the postmarket cybersecurity of their devices. The document contains guidelines for monitoring, identifying and addressing concerns for cybersecurity, in order to protect patient and public health.
The FDA issued their cybersecurity recommendations in order to help medical device manufacturers better manage the growing issue of potential threats to device security. Though manufacturers can – and do – design their products to be protected from potential cybersecurity threats, it is important that upgrades are made throughout the lifespan of the device in order to meet evolving techniques used by hackers.
“All medical devices that use software and are connected to hospital and health care organizations’ networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation,” said Dr. Suzanne Schwartz, associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health. “Today’s draft guidance will build on the FDA’s existing efforts to safeguard patients from cyber threats by recommending medical device manufacturers continue to monitor and address cybersecurity issues while their product is on the market.”
The draft guidance is consistent with the agency’s Quality System Regulation, and focuses on the need for medical device manufacturers to plan for future cybersecurity vulnerabilities. The FDA also stresses the importance of information sharing – among the private-sector and the public – via an Information Sharing Analysis Organization (ISAO).
Medical device manufacturers are also strongly encouraged to perform cybersecurity risk assessment and promptly respond to any identified vulnerabilities. The FDA identified seven components necessary for proper implementation of a cybersecurity risk management program:
- Applying the Framework for Improving Critical Infrastructure Cybersecurity – written by the National Institute of Standards and Technology (NIST) in 2014 – which outlines the fundamental principles of “Identify, Protect, Detect, Respond and Recover.”
- Monitoring reporting sources for potential cybersecurity vulnerabilities.
- Determining the implications for an identified vulnerability.
- Setting up procedures for handling vulnerability concerns.
- Identifying necessary actions for protecting, responding and eventually recovering from the cybersecurity risk.
- Putting a vulnerability disclosure policy into practice.
- Launching a proactive plan designed to prevent medical devices from exploitation.
The agency said that in most cases, they will not require advance notification or reporting of actions taken by medical device manufacturers that are considered, “cybersecurity routine updates or patches.” In situations where the identified vulnerability is met in a timely fashion, the FDA does not plan to enforce urgent reporting, provided that the incident meets certain conditions, including the stipulation that the vulnerability did not cause any serious adverse events.
“The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices,” said Schwartz. “Only when we work collaboratively and openly in a trusted environment, will we be able to best protect patient safety and stay ahead of cybersecurity threats.”