FDA Issues Cybersecurity Recommendations for Medical Device Manufacturers

While manufacturers can incorporate controls in the design of a product to help prevent these risks, they must also consider improvements during maintenance of devices, since the evolving nature of cyber threats means risks may arise throughout a device’s entire lifecycle. A structured and systematic comprehensive approach that responds in a timely fashion to identified vulnerabilities is thus recommended.

For the majority of cases, actions taken by manufacturers to address cybersecurity vulnerabilities and exploits should include routine updates or patches, for which no advanced notification, additional premarket review, or reporting under FDA regulations is required. For a small subset of cybersecurity vulnerabilities and exploits that may compromise essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death, the FDA would require medical device manufacturers to notify the agency.

In cases where the vulnerability is quickly addressed in a way that sufficiently reduces the risk of harm to patients, the FDA does not intend to enforce urgent reporting of the vulnerability to the agency, if certain conditions are met. These include no serious adverse events or deaths associated with the vulnerability; that within 30 days of learning of the vulnerability, the manufacturer notifies users and implements changes that reduce the risk to an acceptable level; and that the manufacturer reports the vulnerability, its assessment, and remediation to its Information Sharing Analysis Organization (ISAO).

“All medical devices that use software and are connected to hospital and health care organizations’ networks have vulnerabilities; some we can proactively protect against, while others require vigilant monitoring and timely remediation,” said Suzanne Schwartz, MD, MBA, associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health (CDRH).

“The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices. Only when we work collaboratively and openly in a trusted environment, will we be able to best protect patient safety and stay ahead of cybersecurity threats,” continued Dr. Schwartz. “Today’s draft guidance will build on the FDA’s existing efforts to safeguard patients from cyber threats, by recommending medical device manufacturers continue to monitor and address cybersecurity issues while their product is on the market.”

Related Links:
US Food and Drug Administration