The Food and Drug Administration recently issued a draft guidance for managing cybersecurity in medical devices. The guidance document provides the FDA’s postmarket recommendations for monitoring, identifying, and addressing cybersecurity vulnerabilities in medical devices. According to the FDA:
A growing number of medical devices are designed to be networked to facilitate patient care. Networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats. The exploitation of vulnerabilities may represent a risk to the safety and effectiveness of medical devices and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits. Proactively addressing cybersecurity risks in medical devices reduces the patient safety impact and the overall risk to public health.
Recognizing that medical devices and the surrounding network infrastructure cannot be completely secured, the FDA encourages manufacturers to establish a defined process to systematically conduct a risk evaluation and determine whether a cybersecurity vulnerability affecting a medical device presents an acceptable or unacceptable risk. According to the guidance document, such a process should focus on assessing the risk to the device’s essential clinical performance (i.e., performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer) by considering: (1) the exploitability of the cybersecurity vulnerability, and (2) the severity of the health impact to patients if the vulnerability were to be exploited. Recommendations regarding timely remediation and reporting of such vulnerabilities are also provided.
Comments on the draft guidance should be submitted by April 21, 2016 to ensure consideration. Instructions on how to submit comments can be found here.