October 17, 2018
“Cybersecurity threats and vulnerabilities in today’s modern medical devices are evolving to become more apparent and more sophisticated, posing new potential risks to patients and clinical operations,” said FDA Commissioner Scott Gottlieb, M.D. “The FDA has been working to stay a step ahead of these changing cybersecurity vulnerabilities, including engaging with external stakeholders. In this way, we can help ensure the health care sector is well positioned to proactively respond when cyber vulnerabilities are identified in products that we regulate. Today’s draft premarket cybersecurity guidance provides updated recommendations for device manufacturers on how they can better protect their products against different types of cybersecurity risks, from ransomware to a catastrophic attack on a health system. We’ve been implementing this guidance since it was finalized in 2014. Now, because of the rapidly evolving nature of cyber threats, we’re updating our guidance to make sure it reflects the current threat landscape so that manufacturers can be in the best position to proactively address cybersecurity concerns when they are designing and developing their devices. This is part of the total product lifecycle approach to device safety, in which manufacturers must adequately address device cybersecurity from the design phase through the device’s time on the market to help ensure patients are protected from cybersecurity threats.”
Today, the U.S. Food and Drug Administration issued a draft guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, which provides updated recommendations to industry on cybersecurity considerations for device design, labeling and documentation that the FDA recommends be included in premarket submissions for medical devices with cybersecurity risk.
Today’s updated draft guidance builds on the framework that the FDA established in its earlier guidance, finalized in 2014, for helping manufacturers consider cybersecurity in the design and development of their medical devices. These updated recommendations will facilitate an efficient premarket review process and help ensure that medical devices are designed to sufficiently address cybersecurity threats before the devices are on the market.
The draft guidance incorporates new recommendations, including a “cybersecurity bill of materials,” which is a list of commercial and/or off-the-shelf software and hardware components of a device that could be susceptible to vulnerabilities. Depending on the level of cybersecurity risk associated with a device, this list can be an important resource to help ensure that device users are able to respond quickly to potential threats. The draft guidance also introduces two tiers of devices—those with higher cybersecurity risk, including implanted devices such as pacemakers or neurostimulation devices, and standard cybersecurity risk, which includes devices that contain software—based on potential harm to patients from cybersecurity threats. The draft guidance outlines the documentation for inclusion in a premarket submission to the agency to demonstrate that the design of the medical device has adequately mitigated risk.
The agency also announced today a public workshop will be held on Jan. 29-30, 2019 to discuss the newly released draft guidance, which will bring together diverse stakeholders for an in-depth discussion to obtain feedback on the draft guidance.
FDA: Medical Device Cybersecurity
FDA: Statement from FDA Commissioner Scott Gottlieb, M.D. on FDA’s efforts to strengthen the agency’s medical device cybersecurity program as part of its mission to protect patients
FDA: FDA and DHS increase coordination of responses to medical device cybersecurity threats under new partnership; a part of the two agencies’ broader effort to protect patient safety
The FDA, an agency within the U.S. Department of Health and Human Services, protects the public health by assuring the safety, effectiveness, and security of human and veterinary drugs, vaccines and other biological products for human use, and medical devices. The agency also is responsible for the safety and security of our nation’s food supply, cosmetics, dietary supplements, products that give off electronic radiation, and for regulating tobacco products.