Dive Brief:
- The Food and Drug Administration has issued draft guidance describing the steps manufacturers must take to ensure their medical devices are safe from cyberattacks.
- Not only are devicemakers expected to establish design inputs related to cybersecurity, they also must address postmarket threats that could evolve after the product enters the market.
- The guidance is part of ongoing efforts to ensure the safety and performance of devices throughout their lifecycles, Healthcare IT News reports.
Dive Insight:
During the premarket phase, manufacturers of software-driven medical devices will need to establish a system for identifying and managing cybersecurity vulnerabilities. This should include an assessment of the impact of any threats on the device and patients, as well as an assessment of risk levels and possible mitigation strategies, the 25-page guidance explains.
Once a device is on the market, manufacturers must monitor any risks that could affect the product’s clinical performance. Firms should adopt a coordinated disclosure policy regarding vulnerability and develop risk management and quality management systems to address cybersecurity risks, according to the guidance.
“The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices,” said Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health.
The agency made clear most cybersecurity issues can be handled by firms as routine updates or patches.
Efforts to ramp up cybersecurity have been underway since 2013, when President Barack Obama issued an executive order and policy directive calling for a public-private effort to bolster the cybersecurity infrastructure. In 2014, the FDA released final guidance on incorporating cybersecurity premarket management during the design stage of device development.
The agency said it will discuss the guidance at a Jan. 20-21 public workshop aimed at identifying existing gaps in cybersecurity and potential solutions.