Manufacturers and users of connected medical devices should take steps to ensure the cybersecurity of such devices, the FDA said in a new guidance document.
The draft guidance on is significant because it contains the FDA’s first directives on security issues of Internet of Things (IoT) medical devices for after they are released to the market rather than in the design, manufacturing and FDA approval phases.
In 2014, the FDA provided guidance for pre-market cybersecurity technology and management in medical devices. Last year, the agency issued a safety communication on the security vulnerabilities of two infusion pumps made by Hospira, Inc., which is now owned by Pfizer Inc.
“Cybersecurity threats to medical devices are a growing concern. The exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices,” the FDA said in a Jan. 15 release. “While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats means risks may arise throughout a device’s entire lifecycle.”
In the release, Suzanne Schwartz, M.D., associate director for science and strategic partnerships in the FDA’s Center for Devices and Radiological Health, said that all medical devices that use software and are connected to healthcare providers’ data networks have security weaknesses.
“Some we can proactively protect against, while others require vigilant monitoring and timely remediation,” Schwartz said.
The guidance also says device manufacturers should participate in an Information Sharing Analysis Organization to exchange information about medical device cybersecurity.
In addition, the FDA guidance says vendors should adopt structured and thorough cybersecurity risk management programs, which should include, among other things:
- Monitoring cybersecurity information sources
- Detecting the presence and impacts of vulnerabilities
- Establishing processes for handling vulnerabilities
- Defining clinical performance to protect, respond and recover from cybersecurity risk
The FDA is soliciting public comment on the draft guidance. The comment period will be open for 90 days.