FDA posts cybersecurity guidance for medical device manufacturers

It isn’t enough for manufacturers to create secure devices, as well. They can alert consumers and patch vulnerabilities without giving the FDA an advanced heads up.

It also promotes the principal of information sharing by joining an Information Sharing Analysis Organization (ISAO). Last July, the FDA issued a warning to providers about Hospira’s Symbiq Infusion System and advised them to stop using the product because of cybersecurity vulnerabilities. The draft guidance recommends that manufacturers should implement a structured and systematic comprehensive cybersecurity risk management program and respond in a timely fashion to identified vulnerabilities.

“Today’s draft guidance will build on the FDA’s existing efforts to safeguard patients from cyber threats by recommending medical device manufacturers continue to monitor and address cybersecurity issues while their product is on the market”. The Hospira pump was vulnerable to cyberattacks, and the FDA encouraged hospitals to get rid of the devices. IEEE Cybersecurity Initiative also published guidance on medical device security during software development.

“Sharing and dissemination of cybersecurity information and intelligence pertaining to vulnerabilities and threats across multiple sectors is integral to a successful postmarket cybersecurity surveillance 330 program”, the draft reads.

“The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices”, said Suzanne Schwartz, FDA associate director for science and strategic partnerships.

“I like that the document establishes what the FDA expects manufacturers to do to provide security support to devices after they have been released”, he says.

Identify and implement compensating controls, such as a work-around or temporary fix, to adequately mitigate the cybersecurity vulnerability risk, especially when an “official fix” may not be feasible or immediately practicable.

Under the guidelines, most actions taken by manufacturers to address issues would be “cybersecurity routine updates or patches”, which the FDA wouldn’t require advance notification or reporting for. “The exploitation of vulnerabilities may represent a risk to the safety and effectiveness of medical devices and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits”.

More details and clarifications will be presented at the agency’s two-day public workshop on the topic to be held starting Wednesday at the FDA’s Silver Spring, MD, headquarters.

Comments on the draft guidance will be open for 90 days after publication in the federal register.