Last week FDA issued a draft guidance on cybersecurity, giving device manufacturers recommendations on how they should monitor, identify and address vulnerabilities in devices once they hit the market. The document, “Postmarket Management of Cybersecurity in Medical Devices”, specifies how companies should proactively plan for and evaluate security gaps in consistency with the quality system regulation, along with encouraging information sharing by participating in the Information Sharing Analysis Organization (a public-private sector group that exchanges cybersecurity information).
Experts will discuss cybersecurity at next month’s mHealth for Medical Device Manufacturers conference | REGISTER to attend February 3-4 in-person or virtually“All medical devices that use software and are connected to hospital and healthcare organizations’ networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation,” said Suzanne Schwartz, M.D., associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures at CDRH in an agency press release. “The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices. Only when we work collaboratively and openly in a trusted environment will we be able to best protect patient safety and stay ahead of cybersecurity threats.”
The agency recommends that manufacturers use a structured risk management program to be prepared for addressing vulnerabilities. The guidance document outlines the following important elements of the program:
The public can make comments on the draft guidance for the next 90 days. It will also be discussed at the agency’s cybersecurity public workshop later this week.