FDA Issues Guidelines on Medical Device Cybersecurity
The Food and Drug Administration (FDA) issued a new set of draft guidelines in hopes that medical device manufacturers not only address cybersecurity risks before they design products, but also during the maintenance of them.
The document recommends manufacturers adopt a cybersecurity risk management program that meets a set of prescribed requirements, according to Healthcare IT News.
As one of those requirements the agency is encouraging manufacturers to apply benchmarks illustrated in “Framework for Improving Critical Infrastructure Cybersecurity,” a 2014 report (.PDF) published by the National Institute of Standards and Technology.
The FDA is also stressing that manufacturers should make sure they can understand, assess, and detect a vulnerability’s presence and impact, and streamline the communication process around it, according to Healthcare IT News.
The program should also adopt a vulnerability disclosure policy and practice, and deploy mitigations that address risk early and prior to exploitation, according to the guidance document, the report said.
The FDA also suggests the benefits of information sharing and analysis organizations, “strongly recommending” that manufacturers enter into a cybersecurity , Information Sharing and Analysis Organization, or ISAO.
“The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices,” said Suzanne Schwartz, M.D., M.B.A., an Associate Director in the FDA’s Center for Devices and Radiological Health, “Only when we work collaboratively and openly in a trusted environment, will we be able to best protect patient safety and stay ahead of cybersecurity threats.”
Under the guidelines, most actions taken by manufacturers to address issues would be “cybersecurity routine updates or patches,” which the FDA wouldn’t require advance notification or reporting for. For any vulnerabilities that would compromise the “clinical performance of a device” and “present a reasonable probability of serious adverse health consequences or death,” the FDA would have to be notified.