Medical device cybersecurity guidelines

The FDA has published new cybersecurity guidelines for medical devices that are vulnerable to cybersecurity risks.

A new draft of guidelines for addressing “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” was published recently by the Food and Drug Administration agency. The new draft guidance reflects the agency’s thoughts about the new submissions.

The new guidelines are the result of a report by the Office of Inspector General (OIG) that talked about the cybersecurity risks involved with medical devices. Network medical devices are at risk of cybersecurity threats if they are cleared through PMA (premarket approval application) or the premarket notification process (510(k)).

The report from the OIG noted that manufacturers are required to submit cybersecurity information to the FDA, but the information is not enough to analyze the possible cybersecurity risks involved with the use of the software. The OIG also pointed fingers by saying that the FDA has shown inconsistency in the information it asks for in submissions.

Considering that networked medical devices are a hot potential target for cyberthieves, the FDA published the new draft guidance to ensure better protection of the medical devices and the data and preventing unauthorized digital access.

The agency stated that the exploits and cyber attacks can delay diagnoses and treatment, leading to possible patient harm.

Quality System Regulations put in place by the FDA requires manufacturers to establish and maintain procedures to validate the design of the devices, including the risk analysis and software validation. Now, the FDA has also recommended the manufacturers to include design controls to maintain the effectiveness and safety of the medical device while also keeping it secure. The inclusion of these design controls might improve submissions and approvals.

The newly published guidelines recommend the manufacturers to use a risk-based approach for developing and designing cybersecurity measures into their devices. The devices need to be built-in with programs that will monitor potential threats and issue updates to deal with future cybersecurity threats.

Devices connected wirelessly or to the Internet are the obvious targets for hackers, which is why the manufacturers will now need to include a Cybersecurity Bill of Materials when filing for submissions. This will help the FDA in identifying the accessories or components that could be exploited by hackers.

A new Tier I level of security standard has also been created by the FDA for ensuring better cyber-protection than Tier 2 devices that are not connected to the internet or wirelessly.

The new design controls for medical devices will now have to come with authorizations like passwords, IDs, layered authorization for technicians, healthcare professionals, and patients, and auto logout options with time-limited sessions. The new submissions will also consider authorization and authentication of critical safety commands. Lastly, the devices should now come with labels that warn providers and patients about the potential cybersecurity risks that the devices carry.

Through these new guidelines, the FDA hopes that the cybersecurity risks for medical devices will be addressed hugely. The cybersecurity landscape is changing constantly, so the guidelines will keep evolving in order to fight newer vulnerabilities. The manufacturers will have to keep up with the draft guidance and keep themselves aware of its future updates.

Image credit: www.istockphoto.com