FDA Issues Guidance on Medical Device Cyber Security

FDA Issues Guidance on Medical Device Cyber Security

The U.S. Food and Drug Administration (FDA) has released a new draft guidance on the post-market management of medical device cyber security, a response to ever-evolving technology, and hence, increased risk of cyber breaches that could affect devices’ functionality throughout their life cycles. It complements an earlier final guidance issued in October 2014.

This new guidance outlines steps the FDA recommends manufacturers take to continually manage cyber security risks, including:

  • Devising ways to monitor and detect security vulnerabilities in their devices;
  • Assessing and detecting the level of risk such a vulnerability poses to patient safety;
  • Establishing a protocol for working with researchers and other stakeholders to receive information about potential vulnerabilities (called “coordinated vulnerability disclosure policy”);
  • Utilizing software patches to address security issues before they can be exploited.

The FDA also recommends that manufacturers and stakeholders consider applying the National Institute of Standards and Technology’s (NIST) core principles for improving cyber security: identify, protect, detect, respond and recover.

The FDA has promised to continue working with all medical device cyber security stakeholders to monitor, identify and address threats, and adjust the guidance accordingly or issue new guidance. It is also seeking comments regarding its new draft guidance on cyber secutiry regulations for medical devices; for more information, visit http://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents....

Photo copyright Getty Images.