FDA Updates Cybersecurity Recommendations for Medical Devices
Safety controls to guard against data breaches and viruses are especially important when it comes to healthcare and medical devices. Because of the rapidly evolving nature of cybersecurity threats and risks, the U.S. Food and Drug Administration recently released a draft of updated premarket cybersecurity recommendations on how device manufacturers can better protect their products and proactively address security.
The Content of Premarket Submissions for Management of Cybersecurity in Medical Devices provides updated recommendations on cybersecurity considerations for device design, labeling, and documentation that the FDA recommends manufacturers address in the design and development of their medical devices, as well as include in premarket submissions for medical devices with cybersecurity risk.
Updates include a “cybersecurity bill of materials” with a list of commercial and off-the-shelf software and hardware components of a device that could be susceptible to vulnerabilities. The draft guidance also introduces tiers of cyber risk, based on potential harm to patients, including Tier 1 “Higher Cybersecurity Risk” (implanted devices such as pacemakers or implantable cardiac defibrillators) and Tier 2 “Standard Cybersecurity Risk.”
Although the FDA issued guidance addressing premarket expectations in 2014, the rapidly evolving cyber threat landscape calls for an update. “This is part of the total product lifecycle approach to device safety, in which manufacturers must adequately address device cybersecurity from the design phase through the device’s time on the market to help ensure patients are protected from cybersecurity threats,” stated FDA Commissioner Scott Gottlieb.
The FDA will hold a public workshop on January 29–30, 2019 to discuss the draft guidance.
In addition, the FDA has collaborated with the MITRE Corporation, a not-for-profit research group, to develop a resource—the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook—for healthcare organizations to plan for and respond to cybersecurity incidents around medical devices.