The US FDA has released a final guidance document Content of Premarket Submissions for Management of Cybersecurity in Medical Devices to strengthen the safety of medical devices.
Although medical devices have the ability to improve patient care and create efficiencies in the healthcare system as they become more interconnected and interoperable, risks for security breaches also increases. For example, medical devices such as computer systems can be vulnerable to security breaches which can potentially impact the safety and effectiveness of the device.
Some of the cybersecurity vulnerabilities that are under the FDA’s concerns “include malware infections on network-connected medical devices or computers, smartphones, and tablets used to access patient data; unsecured or uncontrolled distribution of passwords; failure to provide timely security software updates and patches to medical devices and networks; and security vulnerabilities in off-the-shelf software designed to prevent unauthorized access to the device or network.”
Through this guidance document, the FDA recommends that “manufacturers consider cybersecurity risks as part of the design and development of a medical device, and submit documentation to the FDA about the risks identified and controls in place to mitigate those risks. The guidance also recommends that manufacturers submit their plans for providing patches and updates to operating systems and medical software.” Ideally with this approach, the following areas should be addressed:
- “Identification of assets, threats, and vulnerabilities;
- Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients;
- Assessment of the likelihood of a threat and of a vulnerability being exploited;
- Determination of risk levels and suitable mitigation strategies;
- Assessment of residual risk and risk acceptance criteria.”
Including, as outlined in the recommendations of Section 5: Cybersecurity Functions – that the manufacturers consider topics of identifying and protecting the product by limiting access to trusted users and trusted providers; and outlining ways to detect, respond and recover from a threat.
The whole guidance can be accessed here: