Management of Cybersecurity in Medical Devices
On January 15, 2016, the Food and Drug Administration (FDA) issued draft guidance, “Postmarket Management of Cybersecurity in Medical Devices,” addressing cybersecurity and risk management of vulnerabilities in medical devices.
FDA Device Regulation Guidance
FDA Cybersecurity Workshop
The guidance was published just prior to the FDA Cybersecurity Workshop held on January 20-21, 2016 in Maryland. Online webcasts of the workshop proceedings is available here: Workshop Conference
The draft guidance applies to medical devices that contain software (including firmware) or programmable logic, and to software that is a medical device. Medical devices are increasingly connected to computer networks to facilitate patient care and, as a result, may be vulnerable to cybersecurity threats.
Reporting Security Problems and Improvements
FDA encourages manufacturers who have PMA devices with periodic reporting requirements under 21 CFR 814.84, to report information concerning cybersecurity vulnerabilities, as well as device changes and compensating controls implemented in response to this information in their annual reports.
http://www.fda.gov/MedicalDevices/Safety/ReportaProblem/default.htm
The guidance document has currently been distributed for comment purposes only and does not contain binding requirements.
Additional Reading
This guidance complements previous FDA guidance relating to PMA submissions and steps to protect networked Medical Devices containing off-the-shelf software (OTS).
2013 – Cybersecurity Challenges for Medical Devices
2015 – Cybersecurity for Networked Medical Devices Containing Off-the-Shelf Software