The FDA is now recommending that medical device manufacturers and health care facilities think about cybersecurity and put appropriate safeguards in place to reduce the risk of failure due to unauthorized access or cyber attack.
The FDA has released the following communications:
- Safety communication and notice
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm
- Draft Guidance on Content of Premarket Submissions for Management of Cyber-security in Medical Devices
http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf
Many medical devices contain configurable embedded computers that are connected to the network and internet using ethernet or wireless connections.
Companies should address vulnerabilities in software and hardware such as unencrypted plain-text communication, hard-coded passwords, and SQL injection.
Manufacturers should design for security from the beginning and incorporate design element that ensure the Confidentiality, Integrity, and Availability of information and ensure operation as intended.
Logging and monitoring of network for unauthorized use is also critical for organizations.
Performing a risk assessment following NIST and other industry best practices can help prioritize where additional remediation and action is needed.
Update November 20th:
FDA has already invoked the draft guidance basis for rejecting at least one 510(k) submission under its relatively new “Refuse to Accept Policy for 510(k)s.” FDA, Guidance for Industry and FDA Staff, Refuse to Accept Policy for 510(k)s
Cyber Security to Include in Medical Device Submissions - Double Helix LLC
FDA Draft Guidance for Cybersecurity in Medical Devices | Double Helix