The FDA issued a draft guidance outlining important steps medical device manufacturers should take to continually address cybersecurity risks to keep patients safe and better protect the public health.
The guidance includes post-market recommendations for medical device manufacturers, including the need to proactively plan for and to assess cybersecurity vulnerabilities consistent with the FDA’s Quality System Regulation.
It also addresses the importance of information sharing via participation in an Information Sharing Analysis Organization, a collaborative group in which public and private-sector members share cybersecurity information.
The draft guidance recommends that manufacturers should implement a structured and systematic comprehensive cybersecurity risk management program and respond in a timely fashion to identified vulnerabilities.
According to the FDA's press release, the exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices.
"While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats means risks may arise throughout a device’s entire lifecycle," according to the release.