The Food and Drug Administration (FDA) has released draft guidance to the healthcare industry that updates cybersecurity recommendations for medical device manufacturers with the aim of addressing vulnerabilities and evolving cybersecurity threats.
The draft premarket cybersecurity guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, identifies issues related to cybersecurity that manufacturers should address in the design and development of medical devices to ensure better protection of devices against cybersecurity threats that could interrupt clinical operations and delay patient care.
The new guidance is intended to provide recommendations to the medical device industry regarding cybersecurity device design, labeling and that FDA recommended documentation be included in pre-market submissions for devices vulnerable to cybersecurity threats. The recommendations build on the framework that the FDA created in its 2014 guidance for manufacturers.
According to the FDA, these updated recommendations also will facilitate an efficient premarket review process and help ensure that medical devices are designed to sufficiently address cybersecurity threats before the devices are on the market.
“Cybersecurity threats and vulnerabilities in today’s modern medical devices are evolving to become more apparent and more sophisticated, posing new potential risks to patients and clinical operations,” FDA Commissioner Scott Gottlieb, M.D., said in a statement. “The FDA has been working to stay a step ahead of these changing cybersecurity vulnerabilities, including engaging with external stakeholders. In this way, we can help ensure the health care sector is well positioned to proactively respond when cyber vulnerabilities are identified in products that we regulate.”
“Today’s draft premarket cybersecurity guidance provides updated recommendations for device manufacturers on how they can better protect their products against different types of cybersecurity risks, from ransomware to a catastrophic attack on a health system,” Gottlieb said in his statement, noting that the rapidly evolving nature of cyber threats necessitated an updated approach “to make sure [the guidance] reflects the current threat landscape so that manufacturers can be in the best position to proactively address cybersecurity concerns when they are designing and developing their devices.”
“This is part of the total product lifecycle approach to device safety, in which manufacturers must adequately address device cybersecurity from the design phase through the device’s time on the market to help ensure patients are protected from cybersecurity threats,” Gottlieb said.
As part of its focus on strengthening medical device cybersecurity, the FDA also announced this week an agreement with the Department of Homeland Security to increase collaboration on medical device security. The agreement, between the FDA’s Center for Devices and Radiological Health and DHS’ Office of Cybersecurity and Communications, is meant to encourage even greater coordination and information sharing about potential or confirmed medical device cybersecurity vulnerabilities and threats. Such collaboration can lead to more timely and better responses to potential threats to patient safety, the agencies said.
“Our strengthened partnership with DHS will help our two agencies share information and better collaborate to stay a step ahead of constantly evolving medical device cybersecurity vulnerabilities and assist the health care sector in being well positioned to proactively respond when cyber vulnerabilities are identified. This agreement demonstrates our commitment to confronting cybersecurity risks and the unscrupulous cybercriminals who may seek to put patient lives at risk,” Gottlieb said in a statement about the partnership.
With regard to the draft guidance issued this week, it incorporates new recommendations, including a “cybersecurity bill of materials,” which is a list of commercial and/or off-the-shelf software and hardware components of a device that could be susceptible to vulnerabilities. Depending on the level of cybersecurity risk associated with a device, this list can be an important resource to help ensure that device users are able to respond quickly to potential threats, the FDA said.
The draft guidance also introduces two tiers of devices—those with higher cybersecurity risk, including implanted devices such as pacemakers or neurostimulation devices, and standard cybersecurity risk, which includes devices that contain software—based on potential harm to patients from cybersecurity threats. The draft guidance outlines the documentation for inclusion in a premarket submission to the agency to demonstrate that the design of the medical device has adequately mitigated risk.
The FDA will hold a public workshop Jan. 29-30 to discuss the newly released draft guidance.