FDA Issues Device Cybersecurity Draft Guidance
April 13th, 2022 // 8:44 pm @ jmpickett
FDA issued a new draft guidance last week that affects medical device cybersecurity. Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions was written to stress how important it is to protect medical devices during the product’s entire life cycle.
The new guidance is intended to replace the previous guidance on the subject issued in 2018. The recommendations on medical device cybersecurity will ensure that medical devices have enough safeguards built in to withstand most cybersecurity threats.
Cybersecurity as it relates to medical devices is more important as Americans enjoy more benefits from connected care. More connectivity leads to single medical devices working as part of a larger device system. The systems may feature healthcare facility networks, additional medical devices, and updates on software servers.
Without enough cybersecurity forethought on all parts of these systems, a threat involving cybersecurity may affect the safety and effectiveness of a medical device because it compromises how any part of the system functions.
The ideas in the cybersecurity draft guidance are built around the idea that cybersecurity is an integral part of medical device safety and the FDA Quality System Regulations, the importance of device user transparency, and the agency’s ideas for assessing a medical device’s security.
Medical device manufacturers should remember the bigger system in which the device is being used by the patient. For example, there is a difference in risk profile for a thermometer that is not connected and one that is part of a vital safety control loop.
Also, cybersecurity risks change over time. How effective of controls for cybersecurity can get worse as new risks develop. Also, new threats and attack types will show up. As cybersecurity is so important for medical device safety and effectiveness, controls for it should be thought out in the intended device environment and in the real world.
The FDA guidance also features suggestions for labeling for medical devices that have cybersecurity risks. This includes diagrams and descriptions of restore and backup procedures.
Instructions to handle risks for cybersecurity should be readable to the patient audience and can include caregivers and patients that don’t have a lot of scientific knowledge.
