FDA Drafts Medical Device Security Guidance

FDA Drafts Medical Device Security Guidance

The FDA is now recommending that medical device manufacturers and health care facilities think about cybersecurity and put appropriate safeguards in place to reduce the risk of failure due to unauthorized access or cyber attack.

The FDA has released the following communications:

Many medical devices contain configurable embedded computers that are connected to the network and internet using ethernet or wireless connections.

Companies should address vulnerabilities in software and hardware such as unencrypted plain-text communication, hard-coded passwords, and SQL injection.

Manufacturers should design for security from the beginning and incorporate design element that ensure the Confidentiality, Integrity, and Availability of information and ensure operation as intended.

Logging and monitoring of network for unauthorized use is also critical for organizations.

Performing a risk assessment following NIST and other industry best practices can help prioritize where additional remediation and action is needed.

Update November 20th:

FDA has already invoked the draft guidance basis for rejecting at least one 510(k) submission under its relatively new “Refuse to Accept Policy for 510(k)s.”  FDA, Guidance for Industry and FDA Staff, Refuse to Accept Policy for 510(k)s