The Food and Drug Administration has issued preliminary guidance pinpointing cybersecurity concerns that manufacturers should consider when developing medical devices.
In a publicly released statement, the FDA highlighted the growing cybersecurity risks posed by devices and software programs handling sensitive health-related information: “The need for effective cybersecurity to ensure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network- connected devices, portable media (e.g. USB or CD), and the frequent electronic exchange of medical device-related health information. In addition, cybersecurity threats to the healthcare sector have become more frequent, more severe, and more clinically impactful.”
While the FDA had released guidelines in 2014 to address pre-market expectations, the rapidly changing landscape of healthcare—and an increased understanding of the numerous cybersecurity threats and their potential mitigations—necessitates an updated approach: “These recommendations can facilitate an efficient premarket review process and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats.”
FDA Commissioner Scott Gottlieb commented that the “draft premarket cybersecurity guidance provides updated recommendations for device manufacturers on how they can better protect their products against different types of cybersecurity risks, from ransomware to a catastrophic attack on a health system.”
Previous cybersecurity incidents have caused medical devices and hospital networks to become inoperable, disrupting the delivery of patient care across healthcare facilities both nationally and internationally. The FDA added that such cyberattacks can delay diagnoses and/or treatment, and potentially lead to patient harm.
The guidance includes newly developed recommendations such as a “cybersecurity bill of materials,” which lists the commercial software and hardware device components that may have vulnerabilities. The draft guidance also introduces two tiers of devices, based on potential harm to patients from cybersecurity threats: those with higher cybersecurity risk, including implanted devices such as pacemakers or neurostimulation devices, and those that pose a standard cybersecurity risk, which includes devices that contain software.