SILVER SPRINGS, Md. – The U.S. Food and Drug Administration has released final guidance on the post-market management of marketed and distributed medical device cybersecurity.
“Protecting medical devices from ever-shifting cybersecurity threats requires an all-out, lifecycle approach that begins with early product development and extends throughout the product’s lifespan,” said Dr. Suzanne Schwartz, the FDA’s associate director for science and strategic partnerships at the Center for Devices and Radiological Health, in a statement. “Today’s post-market guidance recognizes today’s reality–cybersecurity threats are real, ever-present and continuously changing.”
A key recommendation from the FDA is that medical device manufacturers should implement a structured and comprehensive program to manage cybersecurity risks. Other recommendations suggest that medical device manufacturers should: have a way to monitor and detect cybersecurity vulnerabilities in their devices;
understand, assess and detect the level of risk a vulnerability poses to patient safety; establish a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities; and deploy mitigations like software patches to address cybersecurity issues early, before they can be exploited and cause harm.
The FDA’s recommendations also state that it is vital for manufacturers and stakeholders across the entire ecosystem to consider applying the National Institute of Standards and Technology’s (NIST) core principles for improving critical infrastructure cybersecurity.
“It is only through application of these guiding principles, executed alongside best practices such as coordinated vulnerability disclosure, that will allow us all to navigate this uncharted territory of evolving risks to device security,” said Schwartz.
The FDA said that the new guidance applies to any marketed and distributed medical device including: medical devices that contain software (including firmware) or programmable logic; and software that is a medical device, including mobile medical applications.
The FDA’s guidance also applies to medical devices that are considered part of an interoperable system and to devices that are already on the market or in use.
“The same innovations and features that improve health care can increase cybersecurity risks,” said Schwartz. “This is why we need all stakeholders in the medical device ecosystem to collaborate to simultaneously address innovation and cybersecurity.”