FDA Draft Guidelines On Medical Device CyberSecurity Issued

The FDA has published a draft guidance regarding medical device cybersecurity. With the guidance entitled “‘Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions”, the agency seeks to assist medical device manufacturers with incorporating cybersecurity safeguards into their products at the premarket period and to ensure security risks are addressed for the duration of the product’s lifetimes. 

The first guidance on premarket medical devices for medical manufacturers was published in 2014. Subsequently, an updated draft was introduced in 2018 as result of new threats to medical device security. Including the increased use of wireless internet- and network connected devices, regular exchange of health information related to medical devices, and portable media. The FDA has major concerns regarding the security of medical devices. As Medical devices evolve and continue to become interconnected, the number of cybersecurity threats continue to increase and become more severe. Treatments, diagnoses, and test results could be delayed as a result of cyber attacks on healthcare providers, which could endanger patients. 

With the introduction of the update to the guidance, the FDA hoped to create a modernized strategy to guarantee that cybersecurity risks were controlled and reduced to a manageable and acceptable level. The updated guidance includes recommendations relating to device design and labeling. The FDA advises that premarket applications for products with cybersecurity risks contain the suggested documents. The FDA considered feedback given by various sources including stakeholders and the HealthCare Industry Cybersecurity Task Force Report to update the guidance. 

A significant component of the updated guidance is its recommendations on threat modeling. Threat modeling is a requirement for a software bill of materials including Security risk assessment and management, third party software, the implementation of security controls, vulnerability management planning, cybersecurity testing, and the significance of cybersecurity transparency. Medical device manufacturers who follow the guidance of the FDA will assure an effective premarket review process and that their products will be sufficiently resistant to cyberattacks. The FDA has requested that electronic or written comments on the draft guidance be submitted by July 7, 2022, in order to ensure that the agency considers all comments before they begin to complete the final version of the guidance.