Depending on the severity of an identified vulnerability, the FDA states that the impact on the device’s clinical performance can be identified as “controlled” (acceptable residual risk) or “uncontrolled” (unacceptable residual risk).
Advertisement
The FDA took aim at the threat of routine computer viruses that slow down computerized equipment and the potential for a fatal, targeted attack against an individual’s infusion pump (or other lifesaving device) by releasing its second draft guidance on ensuring medical device cybersecurity.
Most cybersecurity vulnerabilities are considered routine and can be remedied by updates or patches which would not need to be reported under the proposed guidance, the agency said. “Therefore, it is essential that manufacturers implement comprehensive cybersecurity risk management programs and documentation consistent with [FDA’s] Quality System Regulation, including but not limited to complaint handling, quality audit, corrective and preventive action, software validation and risk analysis and servicing”.
Identify and implement compensating controls, such as a work-around or temporary fix, to adequately mitigate the cybersecurity vulnerability risk, especially when an “official fix” may not be feasible or immediately practicable. The most interesting condition is the third one: participation in an Information Sharing Analysis Organization (ISAO).
Agency device and radiological health executive Suzanne Schwartz says it is essential that manufacturers improve security build and maintenance of devices.
The US Food and Drug Administration has issued draft guidelines to medical device makers on how to protect patients from cybersecurity vulnerabilities in their devices.
“Sharing and dissemination of cybersecurity information and intelligence pertaining to vulnerabilities and threats across multiple sectors is integral to a successful postmarket cybersecurity surveillance 330 program”, the draft reads.
Calling cybersecurity threats to medical devices a growing concern, the FDA has issued draft guidance for manufacturers to monitor, identify and address cybersecurity vulnerabilities in medical devices throughout their lifecycles.
“FDA encourages efficient, timely and ongoing cybersecurity risk management for marketed devices by manufacturers”. IEEE Cybersecurity Initiative also published guidance on medical device security during software development.
FDA will hold a public workshop on Wednesday and Thursday at the agency headquarters in Silver Spring, Maryland, to discuss medical device protection issues with industry.
Advertisement
Comments and suggestions to the draft guidance can be submitted within 90 days.
