CDRH Recognizes 10-Year Anniversary of Cybersecurity Program and Continued Steps to Help Ensure Medical Device Cybersecurity
FOR IMMEDIATE RELEASE
October 4, 2023
The following is attributed to Suzanne Schwartz, M.D., M.B.A., director, Office of Strategic Partnerships and Technology Innovation, CDRH
To mark the FDA cyber team’s 10-year anniversary, here is an infographic showing some of the ways they have contributed to patient safety over the past decade.
The FDA’s Center for Devices and Radiological Health (CDRH) continues to take robust steps to ensure U.S. patients and health care providers have access to the most trustworthy and cybersecure medical devices in the world.
In recognition of Cybersecurity Awareness Month, and CDRH’s 10-year anniversary of its robust cybersecurity program, CDRH is highlighting its commitment to and the sweeping steps it is taking to protect patient safety and assist the medical device industry in mitigating risks from potential cyber incidents and vulnerabilities. Increasing integration of wireless devices, electronic exchange of medical device-related information, and cybersecurity vulnerabilities and incidents, continue to highlight the importance of having stronger cybersecurity measures.
In support of its commitment, CDRH issued the final guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, which provides recommendations on cybersecurity considerations for devices, as well as recommendations for documentation in device premarket submissions.
This new guidance replaces the 2014 premarket submissions guidance, and is intended to further emphasize the importance of ensuring that devices are designed securely, are capable of mitigating emerging cybersecurity risks, and to more clearly outline FDA’s recommendations for premarket submission information to address concerns and vulnerabilities.
The Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions final guidance does not supersede the previously issued guidance Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems. However, the policy in the latter guidance expired on October 1, 2023. Beginning October 1, 2023, the FDA expects that sponsors of cyber devices will have had sufficient time to prepare premarket submissions that contain information required by section 524B of the FD&C Act.
On November 2, 2023, the FDA will host a webinar for industry and other stakeholders interested in learning more about the final guidance.
CDRH Cybersecurity Program
Over the past decade, CDRH has worked tirelessly to equip device manufacturers and health care delivery organizations across the country with the tools and resources they need to reduce cybersecurity vulnerabilities, mitigate threats, and quickly address any cyber incidents that occur in medical devices before patients are harmed.
Since its inception, CDRH’s cybersecurity team has evolved to meet the growing challenges the medical device industry faces as devices have become increasingly integrated with digital components, and therefore, more vulnerable to cyber threats and incidents. We have more than doubled the number of dedicated cybersecurity personnel in just the past three years and set up a centralized cybersecurity program to ensure the issue remains top of mind for agency leaders.
Working with our federal partners, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), as well as the private sector and medical device manufacturers, CDRH has been extremely active in enhancing cybersecurity preparedness and response efforts for the medical device industry. We have developed numerous resources to help navigate issues as technologies evolve, including contracting for the development of a response playbook which allows hospitals and other care delivery organizations to prepare for cyber threats involving medical devices. Additionally, CDRH has also contracted for the creation of a threat modeling playbook to help manufactures strategize about how to respond to potential threats and minimize vulnerabilities.
The cybersecurity of medical devices is a shared responsibility across the health care system, including health care facilities, providers, and manufacturers. CDRH’s dedicated cybersecurity team remains committed to collaborating and communicating with the entire health care ecosystem to address cyber threats that arise.
As we celebrate 10 years of our cybersecurity program, medical device cybersecurity remains a top priority for CDRH. We continue to work closely with industry stakeholders and federal partners to bolster device security and ensure patient safety as these technologies continue to evolve.
In the coming months, the FDA plans to take additional actions to strengthen the security of medical devices.
Additional Links:
- Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions
- Infographic highlighting FDA cyber team’s 10-year anniversary
- Webinar - Final Guidance: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions
- Cybersecurity