The topic of cybersecurity for medical devices became a hotter issue this past year amid several high-profile hospital cybersecurity breaches, and the FDA is paying close attention.
In a blog post on the FDA’s site, Suzanne B. Schwartz, the FDA’s Associate Director for Science and Strategic Partnerships at the Center for Devices and Radiological Health, she outlined the FDA’s approach to medical device cyber safety.
She said the goal of the FDA’s Center for Devices and Radiological Health is to encourage a coordinated approach of vigilance, responsiveness, resilience, and recovery that fits with a culture of continuous quality improvement.
That means manufactures are encouraged to proactively update and patch devices in a safe and timely manner, and the FDA understands that where medical devices are concerned, this can be complex and requires a collaborative approach to find workable solutions.
To help device manufacturers better understand its requirements the FDA has published a set of guidelines for Postmarket Management of Cybersecurity in Medical Devices to go along with its premarket guidance for medical device cybersecurity.
The guidance contains recommendations for comprehensive management of medical device cybersecurity and includes monitoring of devices already on the market. Ms. Schwartz says the agency is working closely with manufacturers to assess cybersecurity risks and address them.
Here are some of the highlights of the non-binding FDA recommendations for medical device makers in terms of cybersecurity along with tips from an FDA Factsheet about medical device cybersecurity.
- Medical device manufacturers must comply with federal regulations. Part of those regulations, called quality system regulations (QSRs), requires that medical device manufacturers address all risks, including cybersecurity risk. The pre- and post- market cybersecurity guidance provide recommendations for meeting QSRs.
- The FDA recognizes that cybersecurity risk management is a shared responsibility among device makers, Health IT, developers, and vendors.
- Manufacturers should have a process for assessing the exploitability of a cybersecurity vulnerability. The FDA encourages medical device manufacturers to address cybersecurity risks to keep patients safe and better protect the public health in a proactive, rather than reactive manner.
This includes monitoring, identifying, and addressing cybersecurity vulnerabilities in medical devices once they are on the market. The agency suggests using assessment tools, such as the “Common Vulnerability Scoring System” version 3 to aid in assessment.
- The agency recognizes that adoption of proactive approach requires the sharing of cyber risk information and intelligence with the medical device community and encourages formation of Information Sharing Analysis Organizations (ISAOs).
- The Agency considers voluntary participation in an ISAO a critical component of a medical device manufacturer’s comprehensive proactive approach to management of post market cybersecurity.
- Medical device manufacturers can always update a medical device for cybersecurity. In fact, the FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity. However, medical device manufacturers remain responsible for the validation of all software design changes, including computer software changes to address cybersecurity vulnerabilities.
If you are looking for an advisory partner, Kapstone Medical is well versed in regulatory planning, 510(k) submissions, CE Mark and quality systems development.