FDA posts cybersecurity guidance for medical device manufacturers

In addition to incorporating controls in device designs, makers must also consider ongoing improvements because risks could occur over the device's lifecycle.
By Bernie Monegain
10:04 AM

The Food and Drug Administration has issued draft guidance outlining steps medical device manufacturers should take to counter cybersecurity threats.

The agency offers advice on monitoring, identifying and addressing cybersecurity vulnerabilities in medical devices once they have entered the market.

The draft guidance, published Jan. 15, is part of the FDA's effort to ensure the safety and effectiveness of medical devices at all stages in their lifecycle, officials said. They note that in addition to incorporating controls in the design of the device, makers must also consider improvements during maintenance because risks could occur over the device's lifecycle.

[Also: 8 out of 10 mobile health apps open to HIPAA violations]

The draft guidance recommends manufacturers implement a structured and systematic comprehensive cybersecurity risk management program and respond in a timely fashion to identified vulnerabilities.

The FDA says the program should applying the 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity. It also should include monitoring of cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk, assessing and detecting presence and impact of a vulnerability, establishing and communicating processes for vulnerability intake and handling, clearly defining essential clinical performance to develop mitigations to recover from cybersecurity risk, adopting a coordinated vulnerability disclosure policy and practice deploying mitigations that address cybersecurity risk early.

Comments on the draft guidance will be open for 90 days after publication in the federal register. 

The full guidance is posted below.

Twitter: @HealthITNews