FDA Releases Cybersecurity Recommendations for Medical Device Manufacturers

Cybersecurity threats to medical devices are a growing concern. The FDA took a proactive step last week and released draft guidance last week encouraging medical device manufacturers to address certain cybersecurity risks to keep patients safe.

Manufacturers should look beyond the initial security measures implemented in a medical device and consider additional safety measures throughout a particular device’s whole lifecycle, according to the report.

“All medical devices that use software and are connected to hospital and healthcare organizations’ networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation,” said Suzanne Schwartz, MD, MBA, associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health, in a press release.

The guidance stresses the need for proactively planning and assessing cybersecurity vulnerabilities, information sharing between the public and manufacturers, as well as creating a cybersecurity risk management program that includes:

• Applying the 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity
• Monitoring cybersecurity information sources to identify any vulnerabilities
• Understanding, assessing, and detecting the presence of possible vulnerability
• Defining essential clinical performance to identify, protect, respond and recover from a cybersecurity threat
• Adopting a threat disclosure policy and practice
• Implementing measures that identify cybersecurity risk early and before an incident occurs