FDA Releases New Industry Guidelines for Securing Medical Devices Against Cybersecurity Threats

Federal regulators issued final regulations this week designed to prevent medical devices from being hacked, which could result in interruption of care or ransomware attacks.

The U.S. Food and Drug Administration (FDA) released the guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, providing recommendations for cyber device design, labeling, and the documentation the agency recommends for premarket submissions involving devices with cybersecurity risks.

Cyber devices are defined as any medical product or software that can connect to the internet, and may be vulnerable to cybersecurity threats.

The guidance comes following growing concerns about recent cyber threats, such as the WannaCry8 ransomware that attacked hospital systems and medical devices around the world, as well as growing information about decades-old medical device vulnerabilities, such as the URGENT/11 warning issued by the Department of Homeland Security in 2019.

“Cybersecurity threats to the healthcare sector have become more frequent and more severe, carrying increased potential for clinical impact,” FDA officials wrote in the new guidance document.

New Medical Device Cybersecurity Guidelines

The FDA guidance includes using a secure product development framework (SPDF) to establish processes that identify and reduce vulnerabilities in devices. The agency plans to assess devices for premarket approval based on their ability to meet security objectives, focusing on confidentiality and the ability to undergo secure and timely updates and patches to possible holes in security.

The guidelines indicate cybersecurity risks should be assessed within the context of the larger system in which the device operates. Manufacturers should conduct threat modeling to identify security risks and vulnerabilities during the design process and should include all medical device system elements.

Additionally, manufacturers should provide a list of software anomalies that exist in a device at the time of approval and conduct an evaluation of the impact on the safety and effectiveness of the device.

The guidelines also specify that manufacturers are responsible for identifying cybersecurity risks in their devices and the systems in which they expect those devices to operate and implement the appropriate controls to approach those risks.

The final guidance is a part of the FDA’s “Zero Trust” rule, which includes a series of enhancements designed to prevent medical device hacking.

The new recommendations supersede the previous guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” issued October 2, 2014.

Public comment on the final guidance can be submitted using Docket number FDA-2021-D-1158 electronically at www.regulations.gov or to Dockets Management Staff, Food and Drug Administration, 5630 Fishers Lane, Room 1061, (HFA-305), Rockville, MD 20852.