FDA issues draft cybersecurity guidelines for medical devices
January 19, 2016
Health IT
Risk Management
By Gail Kalinoski, Contributing Reporter
Calling cybersecurity threats to medical devices a growing concern, the FDA has issued draft guidance for manufacturers to monitor, identify and address cybersecurity vulnerabilities in medical devices throughout their life cycles.
The FDA noted that it is essential that manufacturers incorporate controls in the design phases but also consider improvements during maintenance of devices, because cyber threats may arise during the device’s life cycle.
“All medical devices that use software and are connected to hospital and health care organizations’ networks have vulnerabilities – some we can proactively prevent against, while others require vigilant monitoring and timely remediation,” said Dr. Suzanne Schwartz, associate director for science and strategic partnerships. “Today’s draft guidance will build on the FDA’s existing efforts to safeguard patients from cyber threats by recommending medical device manufacturers continue to monitor and address cybersecurity issues while their product is on the market.”
Schwartz, also the acting director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health, made her comments in a news release from the FDA. The agency said the draft guidance is part of the FDA’s ongoing efforts to ensure the safety and effectiveness of medical devices at all stages of their life cycle because of the evolving nature of cyber threats.
The FDA previously only issued guidance while devices were still being developed, according to Reuters. These are the first postmarket recommendations. The draft guidelines include:
Most of the cases will only need routine updates or patches and will not require advance notification, premarket review or reporting, the FDA noted. For that “small subset of cybersecurity vulnerabilities and exploits that may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death,” the FDA would require manufactures notify the agency.
The draft guidance is voluntary and not legally binding. The FDA said it has been actively working to improving cybersecurity information sharing and to develop and implement risk-based standards since a 2013 White House directive that urged public and private sectors to work together to improve critical cybersecurity infrastructure.
“The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices,” Schwartz said in the agency statement. “Only when we work collaboratively and openly in a trusted environment, will we be able to best protect patient safety and stay ahead of cybersecurity threats.”
The FDA is accepting public comments on the draft guidance for 90 days. It will also hold a public workshop this week, Jan. 20-21, at the FDA’s headquarters in Silver Spring, Md., to focus on “unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity” and to identify solutions.
Calling cybersecurity threats to medical devices a growing concern, the FDA has issued draft guidance for manufacturers to monitor, identify and address cybersecurity vulnerabilities in medical devices throughout their life cycles.
The FDA noted that it is essential that manufacturers incorporate controls in the design phases but also consider improvements during maintenance of devices, because cyber threats may arise during the device’s life cycle.
“All medical devices that use software and are connected to hospital and health care organizations’ networks have vulnerabilities – some we can proactively prevent against, while others require vigilant monitoring and timely remediation,” said Dr. Suzanne Schwartz, associate director for science and strategic partnerships. “Today’s draft guidance will build on the FDA’s existing efforts to safeguard patients from cyber threats by recommending medical device manufacturers continue to monitor and address cybersecurity issues while their product is on the market.”
Schwartz, also the acting director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health, made her comments in a news release from the FDA. The agency said the draft guidance is part of the FDA’s ongoing efforts to ensure the safety and effectiveness of medical devices at all stages of their life cycle because of the evolving nature of cyber threats.
The FDA previously only issued guidance while devices were still being developed, according to Reuters. These are the first postmarket recommendations. The draft guidelines include:
- Monitoring cybersecurity information sources for identification and detection of vulnerabilities and risk;
- Understanding, assessing and detecting presence and impact of a vulnerability;
- Establishing and communicating processes for vulnerability intake and handling;
- Clearly defining essential clinical performance to mitigations that protect, respond and recover from the risk;
- Adopting a coordinated vulnerability disclosure policy and practice;
- Deploying mitigations that address cybersecurity risk early and prior to exploitation.
Most of the cases will only need routine updates or patches and will not require advance notification, premarket review or reporting, the FDA noted. For that “small subset of cybersecurity vulnerabilities and exploits that may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death,” the FDA would require manufactures notify the agency.
The draft guidance is voluntary and not legally binding. The FDA said it has been actively working to improving cybersecurity information sharing and to develop and implement risk-based standards since a 2013 White House directive that urged public and private sectors to work together to improve critical cybersecurity infrastructure.
“The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices,” Schwartz said in the agency statement. “Only when we work collaboratively and openly in a trusted environment, will we be able to best protect patient safety and stay ahead of cybersecurity threats.”
The FDA is accepting public comments on the draft guidance for 90 days. It will also hold a public workshop this week, Jan. 20-21, at the FDA’s headquarters in Silver Spring, Md., to focus on “unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity” and to identify solutions.
You Must Be Logged In To Post A CommentRegisterRegistration is Free and Easy. Enjoy the benefits of The World's Leading New & Used Medical Equipment Marketplace. Register Now! |
|
