FDA Guidelines on Cybersecurity for Medical Devices

On October 2, 2014 the Food and Drug Administration (FDA) issued guidelines for the Management of Cybersecurity in Medical Devices.   The document notes these are guidelines and not legally enforceable responsibilities.  However, with the health care world facing significant risk from hackers, medical device companies should be aware that failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal), or exposure of other connected devices or networks to security threats.

The guidelines recommend that as part of the software validation and risk analysis required pursuant to 21 CFR 820.30(g), manufacturers, address the following elements:

  • Identification of assets, threats, and vulnerabilities;
  • Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients;
  • Assessment of the likelihood of a threat and of a vulnerability being exploited;
  • Determination of risk levels and suitable mitigation strategies;
  • Assessment of residual risk and risk acceptance criteria.

The guidelines then recommend manufactures follow a framework of identify, protect, detect, respond, and recover. Finally, the guidelines end with recommendations on documentation to include in submissions to the FDA as part of premarket submissions.

According to an October 1, 2014 press release from the FDA, while there is no information suggesting specific devices or systems have been purposely targeted, there is concern about device-related cybersecurity vulnerabilities including  malware infections on network-connected medical devices or computers, smartphones, and tablets used to access patient data; unsecured or uncontrolled distribution of passwords; failure to provide timely security software updates and patches to medical devices and networks; and security vulnerabilities in off-the-shelf software designed to prevent unauthorized access to the device or network.

The FDA will hold a workshop on this October 21-22 at the National Intellectual Property Rights Coordination Center Auditorium in Arlington, Virginia.

Speak Your Mind