On January 15, 2016, FDA published a draft guidance providing medical device manufacturers with a number of recommendations to protect patients from cybersecurity vulnerabilities in their devices.
The draft guidance, entitled “Postmarket Management of Cybersecurity in Medical Devices,” encourages manufacturers to “address cybersecurity throughout the product life cycle, including during the design, development, production, distribution, deployment and maintenance of the device.” Additionally, the Agency states that the recommendations contained within the document are applicable to:
In addition to the Agency’s recommendations for medical device manufacturers, the draft guidance contains a rather sizable list of definitions, which includes terms such as Compensating Controls and Controlled Risk.
In the recent past we have seen an increase in the number of medical devices containing computer hardware or software, or connecting to computer networks. These devices, which are designed to be networked to facilitate patient care, are susceptible to the same types of cyber vulnerabilities as other networked computer systems. The exploitation of these vulnerabilities could pose a huge risk to the safety and effectiveness of medical devices. Regular maintenance is required throughout the product life cycle to assure that an adequate level of protection is in place. This consistent maintenance is key to reducing the risk to patient safety and overall public health.
In the recent draft guidance, the FDA “emphasizes that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices.” In addition, the Agency recommends that companies take a number of preventative measures, such as monitoring, identifying, and addressing risks; coordinating efforts by companies, government, and other groups to disclose vulnerabilities; and taking actions to address cybersecurity risks as early and proactively as possible.
The draft guidance states that a large number of cybersecurity vulnerabilities are considered routine and can be easily resolved. These vulnerabilities do not need to be reported to the FDA. However, vulnerabilities that might compromise the clinical performance of the device, thus risking the health of the patient, are required to be reported the Agency.
June 22, 2021
The threat of cyber-attacks against medical devices is real. Medical devices capable of connecting, wirelessly, wired, or to portable media such as a USB drive, are more vulnerable to cybersecurity...
January 20, 2016
Compensating Controls: “A safeguard or countermeasure, external to the device, employed by a user in lieu of, or in the absence of sufficient controls that were designed in by a device manufacturer,...
January 20, 2016
Earlier we provided you with details on FDA's recent draft guidance on cybersecurity in medical devices. Were you left wanting more? Well if you were wishing for additional information on the...