FDA Unveils Additional Medical Device Security GuidanceLatest Guide Focuses on Dealing with Issues for Devices in Use
The Food and Drug Administration has issued a long-awaited final version of guidance for how medical device manufacturers should help maintain the cybersecurity of network-connected devices once they are in use. A draft version of the guidance was unveiled nearly a year ago.
The non-binding guidance for managing postmarket cybersecurity is a companion to guidance the FDA issued in 2014 that focuses on premarket security steps manufacturers should take before they start selling a device (see FDA Issues Medical Device Security Guide).
"With this guidance, we now have an outline of steps the FDA recommends manufacturers take to remain vigilant and continually address the cybersecurity risks of marketed medical devices," Suzanne Schwartz, M.D., the FDA's associate director for science and strategic partnerships, says in a blog. "Central to these recommendations is FDA's belief that medical device manufacturers should implement a structured and comprehensive program to manage cybersecurity risks."
Schwartz explains that the new guidance spells out that manufacturers should:
- Have a way to monitor and detect cybersecurity in their devices;
- Understand, assess and detect the level of risk a vulnerability poses to patient safety;
- Establish a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities;
- Deploy mitigations, such as software patches, to address cybersecurity issues early, before they can be exploited and cause harm.
The guidance also recommends that manufacturers consider applying the National Institute of Standards and Technology's core principles for improving critical infrastructure cybersecurity, Schwartz points out.
"This is clearly not the end of what the FDA will do to address cybersecurity," she adds. "We will continue to work with all medical device cybersecurity stakeholders to monitor, identify and address threats, and we intend to adjust our guidance or issue new guidance as needed."
Medical device security expert Kevin Fu of Virta Laboratories says the FDA "clearly worked hard on the postmarket guidance. Whether they like it or not, the C-suites now have much greater clarity on expectations for maintaining cybersecurity of a medical device."
Fu, who is also associate professor of electrical engineering and computer science at the University of Michigan, where he directs the Archimedes Research Center for Medical Device Security, says the guidance "also responds to many of the medical device security issues highlighted in reports by the National Academies and the NIST Information Security and Privacy Advisory Board over the last six years."
Medical Device Vulnerabilities
Although there apparently have been no documented cases of medical device vulnerabilities that have led to hackers harming a patient, several white-hat hackers have issued reports in recent years demonstrating vulnerabilities in infusion pumps and other devices (see Inside Scoop: J&J Confirms Insulin Pump Security Flaws). And the FDA also issued an alert in 2015 about a flaw in certain pumps (see FDA: Discontinue Use of Flawed Infusion Pumps).
The issue of how to notify device manufacturers of vulnerabilities gained headlines recently when investment firm Muddy Waters Capital and security research start-up MedSec Holdings took the unusual, high-profile step of announcing alleged cybersecurity flaws in St. Jude Medical cardiac devices, including issuing a video on the issue (see Video on Alleged Medical Device Flaws Stirs Controversy).