FDA Releases New Industry Guidelines for Securing Medical Devices Against Cybersecurity Threats
Federal regulators issued final regulations this week designed to prevent medical devices from being hacked, which could result in interruption of care or ransomware attacks.
The U.S. Food and Drug Administration (FDA) released the guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, providing recommendations for cyber device design, labeling, and the documentation the agency recommends for premarket submissions involving devices with cybersecurity risks.
Cyber devices are defined as any medical product or software that can connect to the internet, and may be vulnerable to cybersecurity threats.
The guidance comes following growing concerns about recent cyber threats, such as the WannaCry8 ransomware that attacked hospital systems and medical devices around the world, as well as growing information about decades-old medical device vulnerabilities, such as the URGENT/11 warning issued by the Department of Homeland Security in 2019.
“Cybersecurity threats to the healthcare sector have become more frequent and more severe, carrying increased potential for clinical impact,” FDA officials wrote in the new guidance document.
New Medical Device Cybersecurity Guidelines
The FDA guidance includes using a secure product development framework (SPDF) to establish processes that identify and reduce vulnerabilities in devices. The agency plans to assess devices for premarket approval based on their ability to meet security objectives, focusing on confidentiality and the ability to undergo secure and timely updates and patches to possible holes in security.
The guidelines indicate cybersecurity risks should be assessed within the context of the larger system in which the device operates. Manufacturers should conduct threat modeling to identify security risks and vulnerabilities during the design process and should include all medical device system elements.
Additionally, manufacturers should provide a list of software anomalies that exist in a device at the time of approval and conduct an evaluation of the impact on the safety and effectiveness of the device.
The guidelines also specify that manufacturers are responsible for identifying cybersecurity risks in their devices and the systems in which they expect those devices to operate and implement the appropriate controls to approach those risks.
Did You Know?
Millions of Philips CPAP Machines Recalled
Philips DreamStation, CPAP and BiPAP machines sold in recent years may pose a risk of cancer, lung damage and other injuries.Learn More
The final guidance is a part of the FDA’s “Zero Trust” rule, which includes a series of enhancements designed to prevent medical device hacking.
The new recommendations supersede the previous guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” issued October 2, 2014.
Public comment on the final guidance can be submitted using Docket number FDA-2021-D-1158 electronically at www.regulations.gov or to Dockets Management Staff, Food and Drug Administration, 5630 Fishers Lane, Room 1061, (HFA-305), Rockville, MD 20852.
"*" indicates required fields
More Top Stories
Although Suboxone settlements have been paid to resolve antitrust violations, users who suffered damages due to tooth decay from Suboxone film must pursue individual product liability lawsuits
With thousands of Bard hernia mesh lawsuits pending in the federal court system, a fourth bellwether trial will be held in the spring, involving allegations that defects with Bard 3DMax caused painful and permanent injuries.
A Tepezza hearing loss lawsuit accuses the manufacturer of failing to warn doctors to conduct hearing tests, which could have helped a woman avoid permanent hearing damage.