The Center for Devices and Radiological Health of the Food and Drug Administration draft issued Cybersecurity Guidance for Medical Devices, including recommendations for designing devices with cybersecurity in mind, and FDA guidance for premarket submissions of compromised devices.
The guidance is designed to facilitate “an efficient premarket review process” while ensuring medical devices marketed for healthcare are “sufficiently resilient to cybersecurity threats.” The FDA is seeking feedback from health care leaders to further develop supporting knowledge.
The FDA first issued premarket guidance in 2014, then updated it in 2018 to meet the ever-evolving landscape. Industry leaders have been waiting for an update in recent years.
The latest guidance builds on its initial efforts, incorporating input from health care leaders from public meetings, previous comment periods, and recommendations from the Health Care Industry Cybersecurity Task Force Report to identify security issues. cybernetics that device manufacturers must also address in the development and design process. as pre-market presentations.
The FDA developed the knowledge in response to the rapid evolution and scope of connected Internet of Things (IoT) and digital medical devices, especially with the increase in the electronic exchange of health information through medical devices.
As threats to health care become more frequent, serious and clinically impactful, the FDA warns that “cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting patient care in healthcare in the US and around the world.”
For example, some individual devices act as “single elements of larger medical device systems,” which may include facility networks, other devices, software update servers, and other interconnected components.
Consequently, without proper cybersecurity considerations in all aspects of these systems, a cybersecurity threat can compromise the security and/or effectiveness of a device by compromising the functionality of any asset in the system. FDA.
“As a result, ensuring device security and effectiveness includes proper cybersecurity of the device, as well as its security as part of the larger system,” he added. With patient safety risks in mind, the FDA guidance seeks to address a number of long-standing challenges posed by increased connectivity.
FDA Voluntary Guidance Provides Recommendations for Cyber Healthcare Professionals
The guide is intended to be voluntary, although it does provide clarity on existing requirements of law, as well as statutory and regulatory mandates. It also covers all devices that contain software, firmware, programmable logic, and software as a medical device (SaMD).
Manufacturers can take advantage of the document to find cybersecurity recommendations for device submissions to the FDA. The guide also covers the necessary implementation mitigations to protect the device throughout its lifespan, a longstanding challenge for the industry given its heavy reliance on legacy and/or older devices.
Healthcare security leaders will find recommendations and support for a number of device challenges, including security risk management, cybersecurity transparency (such as tagging devices at risk), vulnerability management plans, security deployments, security control and views of patches and updates.
The guidance comes on the heels of a pair of congressional bills that would establish a series of cybersecurity requirements for device manufacturers, including the development of the Software Bill of Materials (SBOM) to share with healthcare users. . Upon publication, stakeholders noted that the bills address newer devices and do not address the systemic risks and issues of medical devices.
The FDA’s expertise addresses a detailed set of challenges to secure the complex medical device infrastructure. Industry leaders are encouraged to provide feedback on the insights, which will be crucial in ensuring the resource can effectively support the most pressing risks and challenges.
“FDA recognizes that medical device safety is a shared responsibility among stakeholders” in the medical device system environment, including provider organizations, patients, and device manufacturers.
In that spirit, the agency also urged device manufacturers to use the FDA’s new knowledge along with previously published knowledge. medical device safety guide of the HSCC.