The FDA has issued a draft guidance detailing the steps medical device manufacturers should take to continually address cybersecurity risks to keep patients safe and better protect the public health.

The draft guidance details the agency’s recommendations for monitoring, identifying and addressing cybersecurity vulnerabilities in medical devices once they have entered the market.

Cybersecurity threats to medical devices are a growing concern, according to the agency. The exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices. Manufacturers can build controls into products to help prevent these risks, but they also need to consider improvements during maintenance of devices, “as the evolving nature of cyberthreats means risks may arise throughout a device’s entire lifecycle.”

“All medical devices that use software and are connected to hospital and healthcare organizations’ networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation,” said Suzanne Schwartz, MD, MBA, associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health. The draft guidance “will build on the FDA’s existing efforts to safeguard patients from cyberthreats by recommending medical device manufacturers continue to monitor and address cybersecurity issues while their product is on the market.”

The guidance addresses the importance of information sharing via participation in an Information Sharing Analysis Organization (ISAO), a collaborative group in which public and private-sector members share cybersecurity information. The draft guidance recommends that manufacturers implement a structured and systematic comprehensive cybersecurity risk management program and respond in a timely fashion to identified vulnerabilities.

Critical components of such a program should include:

• Applying the 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity, which includes the core principles of “Identify, Protect, Detect, Respond and Recover;”
• Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
• Understanding, assessing and detecting presence and impact of a vulnerability;
• Establishing and communicating processes for vulnerability intake and handling;
• Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk;
• Adopting a coordinated vulnerability disclosure policy and practice; and
• Deploying mitigations that address cybersecurity risk early and prior to exploitation.

In most cases, actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered “cybersecurity routine updates or patches,” for which the FDA does not require advance notification, additional premarket review or reporting under its regulations.

“The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices,” said Schwartz. “Only when we work collaboratively and openly in a trusted environment, will we be able to best protect patient safety and stay ahead of cybersecurity threats.”

Public comments on the draft guidance will be accepted for 90 days.