FDA Releases Final Guidance on Medical Device Cybersecurity
Need for Guidance
FDA said the guidance is necessary to help manufacturers consider cybersecurity concerns when developing, designing and submitting devices for approval (Pedulli, Clinical Innovation & Technology, 10/1). The agency wrote, "The need for effective cybersecurity to assure medical device functionality has become more important with the increasing use of wireless, Internet- and network-connected devices and the frequent electronic exchange of medical device-related health information."
Specifically, the guidance is intended to protect patient data from hackers attempting to access patient data via malware and other potential security breaches (Devaney, The Hill, 10/1).
Suzanne Schwartz -- director of emergency preparedness, operations and medical countermeasures for FDA's Center for Devices and Radiological Health -- in a statement said, "There is no such thing as a threat-proof medical device" and noted that manufacturers must "remain vigilant" about potential risks to protect patient data (Bowman, FierceHealthIT, 10/1).
Details of Final Guidance
When developing a medical device, FDA recommends that manufacturers:
- Assess device risks and vulnerabilities;
- Determine criteria for risk acceptance;
- Evaluate how risks could affect device functionality; and
- Measure the risk levels and create strategies to mitigate risk (Goedert, Health Data Management, 10/1).
The guidance further recommends that manufacturers in premarket device submissions:
- Give instructions and product specifications for the recommended cybersecurity controls (FDA guidance, 10/1);
- Include a matrix connecting the cybersecurity risks considered to a device's cybersecurity controls;
- List all cybersecurity risks considered in the design process (Clinical Innovation & Technology, 10/1);
- Outline a plan for providing software updates and patches to the device's software or operating system (Clinical Innovation & Technology, 10/1); and
- Provide a list of and justifications for all the cybersecurity controls established for a device (FDA guidance, 10/1).
In addition, the guidance states that manufacturers should balance cybersecurity risks with usability considerations for particular settings. For example, the agency wrote that cybersecurity controls should not prevent users from accessing devices during an emergency (Health Data Management, 10/1).
The Usability People work with you on improving the Usability of Healthcare IT.
Together we may save a life! #SafeHealthIT