The Food and Drug Administration has issued draft guidelines for device manufacturers to manage postmarket cybersecurity vulnerabilities for medical devices.
As a growing number of medical devices are designed to be networked to facilitate patient care, these devices incorporate software that may be vulnerable to cybersecurity threats.
In the guidelines, FDA encourages device manufacturers to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device.
“This guidance clarifies FDA’s postmarket recommendations and emphasizes that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices,” the report states.
The agency recommends that device manufacturers employ a proactive and risk-based approach to the postmarket phase by engaging in cybersecurity information sharing and monitoring, promoting “good cyber hygiene” through routine device cyber maintenance and using a risk-based approach to characterizing vulnerabilities followed by timely implementation of necessary actions to further mitigate emerging cybersecurity risks.
As part of a cybersecurity risk management program, FDA encourages s the use and adoption of the National Institute of Standards and Technology (NIST) voluntary Framework for Improving Critical Infrastructure Cybersecurity.
“Critical to the adoption of a proactive, rather than reactive, postmarket cybersecurity approach, is the sharing of cyber risk information and intelligence within the medical device community,” the FDA draft guidelines state.
As part of the cybersecurity risk management process, device manufacturers should “establish, document and maintain throughout the medical device lifecycle an ongoing process for identifying hazards associated with the cybersecurity of a medical device, estimating and evaluating the associated risks, controlling these risks and monitoring the effectiveness of the controls,” the draft guidelines state.
And, the FDA recommends that such a process focus on assessing the risk to the device’s essential clinical performance by considering the exploitability of the cybersecurity vulnerability and the severity of the health impact to patients if the vulnerability were to be exploited.
While many device manufacturers use “worst case scenarios” to assess the exploitability of a cybersecurity vulnerability, the FDA draft guidelines recommends manufacturers consider using a cybersecurity vulnerability assessment tool or similar scoring system for rating vulnerabilities and determining the need for and urgency o the response, such as the Common Vulnerability Scoring System.
The FDA draft guidelines also recommend that medical device companies should have a structured and systematic approach to risk management and quality management systems that include methods to identify, characterize and assess a cybersecurity vulnerability and methods to analyze, detect and assess threat sources. For example, a cybersecurity vulnerability might impact all of the medical devices in a manufacturer’s portfolio based on how their products are developed, or a vulnerability could exist vertically, such as within the components of a device, which can be introduced at any point in the supply chain for a medical device manufacturing process.
Comments on the draft guidance will be open for 90 days after publication in the federal register.