FDA Issues Guidelines on Medical Device Cybersecurity

The Food and Drug Administration (FDA) issued a new set of draft guidelines on Friday in hopes medical device manufacturers address cybersecurity risks in their products.

The Food and Drug Administration (FDA) issued a new set of draft guidelines on Friday in hopes that medical device manufacturers not only address cybersecurity risks before they design products, but also during the maintenance of those products.

The 25-page document recommends manufacturers adopt a cybersecurity risk management program that meets a set of prescribed requirements.

As one of those requirements the agency is encouraging manufacturers to apply benchmarks illustrated in “Framework for Improving Critical Infrastructure Cybersecurity,” a 2014 report (.PDF) published by the National Institute of Standards and Technology, or NIST. That report , which came as a result of Executive Order 13636, advocates a “framework core” set of functions to follow when it comes to managing cybersecurity risk: Identify, protect, detect, respond, and recover.

The FDA is also stressing that manufacturers should make sure they can understand, assess, and detect a vulnerability’s presence and impact, and streamline the communication process around it.

The program should also adopt a vulnerability disclosure policy and practice, and deploy mitigations that address risk early and prior to exploitation, according to the guidance document.

Collaboration is a key part of the FDA’s plan as well. Throughout the report the FDA refers to the benefits of information sharing and analysis organizations, “strongly recommending” that manufacturers enter into a cybersecurity , Information Sharing and Analysis Organization, or ISAO.

“Sharing and dissemination of cybersecurity information and intelligence pertaining to vulnerabilities and threats across multiple sectors is integral to a successful postmarket cybersecurity surveillance 330 program,” the draft reads.

“The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices,” said Suzanne Schwartz, M.D., M.B.A., an Associate Director in the FDA’s Center for Devices and Radiological Health, “Only when we work collaboratively and openly in a trusted environment, will we be able to best protect patient safety and stay ahead of cybersecurity threats.”

Under the guidelines, most actions taken by manufacturers to address issues would be “cybersecurity routine updates or patches,” which the FDA wouldn’t require advance notification or reporting for. For any vulnerabilities that would compromise the “clinical performance of a device” and “present a reasonable probability of serious adverse health consequences or death,” the FDA would have to be notified.

The agency plans to discuss the recommendations, which are open to public comment for 90 days, at a cybersecurity workshop Wednesday and Thursday this week.

On tap for discussion, in addition to the proposed recommendations, are “unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity and identify specific solutions to addressing these issues moving forward,” according to the agency.

The document clarifies the agency’s stance on how to address the security of devices after they’ve been given the green light to go to market. It follows up guidance published in October 2014 (.PDF) for device manufacturers prepping submissions premarket, or in their developmental stages.

The report from Friday mentioned last October’s research several times, acknowledging that when manufacturers address cybersecurity during the design and development of medical devices, the resulting impact is “a more proactive and robust mitigation of cybersecurity risks.”

Both sets of guidelines follow up guidelines initially published by the agency way back in 2013, when it first began to get serious about security. The FDA warned at the time that devices which are either implanted or worn on the body and involve RF wireless technology, should securely transmit medical data. Those warnings came on the heels of a handful of stories that described how defibrillators, insulin pumps and pacemakers were getting hacked.

Suggested articles