FDA finalizes cybersecurity guidance for medical devices
On Dec. 27, the U.S. Food and Drug Administration issued a final guidance addressing the cyber vulnerabilities in medical devices, outlining how manufacturers should maintain security of internet-connected devices such as pacemakers and insulin pumps.
With the guidelines, the FDA said manufacturers must build cybersecurity controls into medical devices during the development process. Further, they should establish, document and maintain the identification of hazards throughout the device lifecycle as part of risk management.
Some in the healthcare industry have long criticized the FDA for only giving suggestions to fix these major security flaws – rather than offering official guidelines. Missing from this final draft are plans for the how the FDA would enforce these rules.
"Today’s post-market guidance recognizes today’s reality: Cybersecurity threats are real, ever-present and continuously changing," said Suzanne B. Schwartz, MD, the FDA’s associate director for science and strategic partnerships, said in a statement. "As hackers become more sophisticated, these cybersecurity risks will evolve."
The FDA recommends manufacturers continually monitor cybersecurity vulnerabilities of devices and should create a program to mitigate these risks.
Additionally, they should assess vulnerabilities in their products and how they could affect patients, while working with researchers to better understand potential cyber risks. Manufacturers should also address issues early on before an exploit can occur, through deployed mitigations, such as software patches.
The FDA also stressed that it's important for developers to apply the core rules of National Institute of Standards and Technology to improve cybersecurity infrastructure.
The 30-page guidance was released as the FDA investigates claims that St. Jude Medical’s heart devices are vulnerable to attacks that can endanger patient lives. FDA guidance released in 2014 addressed cybersecurity needs during new device development, but failed to include devices currently on the market.
"It’s only through application of these guiding principles, executed alongside best practices such as coordinated vulnerability disclosure, that will allow us all to navigate this uncharted territory of evolving risks to device security," Schwartz said.
"This is clearly not the end of what FDA will do to address cybersecurity," she added. "We’ll continue to work with all medical device cybersecurity stakeholders to monitor, identify and address threats and intend to adjust our guidance or issue new guidance, as needed."