The U.S. Food and Drug Administration (FDA) released a set of recommendations for manufacturers for managing cyber-security risks and protecting patient health and information.
The guidance is titled ‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’ and recommends that manufacturers consider cybersecurity risks as part of the design and development of medical devices and submit documentation to the FDA about those risks and the controls in place to mitigate them. The guidance also recommends manufacturers submit their plans for providing updates to operating systems and software.
“There is no such thing as a threat-proof medical device,” said Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health, in a statement. “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”
The FDA said it has been working closely with other federal agencies as well as the medical device industry to identify and discuss vulnerabilities. This fall, the agency is planning a public workshop to discuss how government, medical device developers, hospitals, cybersecurity professionals and others can collaborate to improve the security of medical devices and protect the public.
“FDA recognizes that medical device security is a shared responsibility between stakeholders, including health care facilities, patients, providers, and manufacturers of medical devices,” according to the document. “Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death.”
In particular, medical devices that are capable of connecting to another device or the Internet are more vulnerable to security threats, the guidance notes. In its recommendations, the FDA stresses the importance of authentication controls and detection.
“The need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network-connected devices, and the frequent electronic exchange of medical device – related health information,” according to the document. “This guidance has been developed by the FDA to assist industry by identifying issues related to cybersecurity that manufacturers should consider in the design and development of their medical devices as well as in preparing premarket submissions for those devices.”