Last Friday (January 22, 2016), the Food and Drug Administration (FDA) published draft guidance for medical device makers on the importance of including cybersecurity measures in approved products. Further, the guidance highlights the importance of reporting any post-approval fixes to assist others with cybersecurity measures, particularly for medical devices connected to the Internet.
The guidance, entitled “Postmarket Management of Cybersecurity in Medical Devices,” includes how medical device manufacturers should assess security vulnerabilities during development, as well as after market approval of medical devices. The vulnerabilities should be assessed based upon the harm that could occur to patients if there was a security incident. A section on medical device cybersecurity risk management includes assessing exploitability of the cybersecurity vulnerability, assessing severity impact to health, and evaluation of risk to essential clinical performance.
In addition, the guidance discusses what type of information should be included by manufacturers in annual reports to the FDA, including device upgrades as a result of vulnerability assessments, and why the upgrades were made. It also provided explanations of the important elements to be assessed during post-approval product surveillance, including using NIST standards.
Finally, the guidance provides elements that should be included in an “effective postmarket cybersecurity program.” All in all, the guidance is consistent with the FDA’s previous guidance on cybersecurity for medical devices, but provides more details.
Medical device manufacturers may wish to review the draft guidance and give comment. The comment period is open for 90 days.