FDA Releases Final Guidance on Medical Device Cybersecurity
October 2, 2014 in News
Need for Guidance
FDA said the guidance is necessary to help manufacturers consider cybersecurity concerns when developing, designing and submitting devices for approval (Pedulli, Clinical Innovation Technology, 10/1). The agency wrote, “The need for effective cybersecurity to assure medical device functionality has become more important with the increasing use of wireless, Internet- and network-connected devices and the frequent electronic exchange of medical device-related health information.”
Specifically, the guidance is intended to protect patient data from hackers attempting to access patient data via malware and other potential security breaches (Devaney, The Hill, 10/1).
Suzanne Schwartz — director of emergency preparedness, operations and medical countermeasures for FDA’s Center for Devices and Radiological Health — in a statement said, “There is no such thing as a threat-proof medical device” and noted that manufacturers must “remain vigilant” about potential risks to protect patient data (Bowman, FierceHealthIT, 10/1).
Details of Final Guidance
When developing a medical device, FDA recommends that manufacturers:
- Assess device risks and vulnerabilities;
- Determine criteria for risk acceptance;
- Evaluate how risks could affect device functionality; and
- Measure the risk levels and create strategies to mitigate risk (Goedert, Health Data Management, 10/1).
The guidance further recommends that manufacturers in premarket device submissions:
- Give instructions and product specifications for the recommended cybersecurity controls (FDA guidance, 10/1);
- Include a matrix connecting the cybersecurity risks considered to a device’s cybersecurity controls;
- List all cybersecurity risks considered in the design process (Clinical Innovation Technology, 10/1);
- Outline a plan for providing software updates and patches to the device’s software or operating system (Clinical Innovation Technology, 10/1); and
- Provide a list of and justifications for all the cybersecurity controls established for a device (FDA guidance, 10/1).
In addition, the guidance states that manufacturers should balance cybersecurity risks with usability considerations for particular settings. For example, the agency wrote that cybersecurity controls should not prevent users from accessing devices during an emergency (Health Data Management, 10/1).