In an era where medical devices are increasingly used to collect and analyze health data, and to transmit information to other connected systems and devices, cybersecurity threats potentially pose a serious risk to patient safety. In an effort to help medical device manufacturers and healthcare facilities mitigate and manage cybersecurity threats, the FDA recently issued a final guidance for the postmarket management of cybersecurity vulnerabilities in medical devices. The guidance applies to any marketed and distributed medical device. This includes devices containing software, mobile medical applications, devices that are a part of interoperable systems, and devices that are already on the market or in use.
The FDA encourages medical device manufacturers to consider potential cybersecurity risks and vulnerabilities throughout the entire product lifecycle: from design and manufacturing to distribution and maintenance. This proactive approach can potentially reduce overall health risks for users of medical devices.
Manufacturers should implement cybersecurity risk management programs that emphasize addressing vulnerabilities that could result in patient harm. The elements of a successful risk management program may include the following:
- Identification of assets, threats, and vulnerabilities
- Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients
- Assessment of the likelihood of a threat and of a vulnerability being exploited
- Determination of risk levels and suitable mitigation strategies
- Assessment of residual risk and risk acceptance criteria
The FDA also encourages manufacturers to participate in Information Sharing and Analysis Organizations (“ISAOs”), which serve as focal points for cybersecurity information sharing and collaboration. ISAOs gather and analyze critical infrastructure information in order to better understand cybersecurity problems and interdependencies, communicate or disclose critical infrastructure information to help prevent, detect, mitigate, or recover from the effects of cyber threats, or voluntarily disseminate critical infrastructure information to its members or others involved in the detection and response to cybersecurity issues
While the FDA’s guidance is nonbinding, it does serve to clarify the FDA’s expectations for medical device manufacturers. Accordingly, manufacturers should take steps to implement the FDA’s recommendations, assess the sufficiency of their risk management programs, proactively address risks, and consider participation in an ISAO.