Following up on its 2014 Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, the FDA recently issued the Postmarket Management of Cybersecurity in Medical Devices recommending how medical device manufacturers might classify and address cybersecurity vulnerabilities. The guidance relates to software or networked medical devices used in patient care which may contain software or programmable logic.
For manufacturers voluntarily following the FDA parameters and participating in an Information Sharing Analysis Organization, the agency will dispense reporting on minor adverse cybersecurity related events per 21 C.F.R. Part 806. Although, unless there are cybersecurity vulnerabilities and exploits that could interfere with the “essential clinical performance” of a device with probable harm or death to the user, the FDA considers the measures that manufacturers take to address vulnerabilities and exploits routine and not requiring advance notification or reporting under 21 C.F.R Part 806.
Besides encouraging manufacturers to use the NIST “Framework for Improving Critical Infrastructure Cybersecurity”, to help manage their cybersecurity risk, the FDA guidance provides advice tailored to medical device cybersecurity risk management.
To ensure patient safety, risk management programs must incorporate processes for monitoring, detecting, identifying, characterizing and evaluating cybersecurity vulnerability; establish and communicate procedures for handling identified or realized vulnerabilities; define essential clinical performance to develop mitigation strategies for protecting, responding and recovering from cybersecurity breaches; adopt a coordinated vulnerability disclosure course of action; deploy mitigations that deal with cybersecurity vulnerabilities proactively before exploitation.
In the Draft Guidance, the FDA wants assurance that medical device manufacturers consider cybersecurity risk during the device’s entire life cycle including postmarket management. The FDA has accepted comments from Manufacturers.
Bringing an innovative medical device to market requires professional talent across a range of disciplines. Contact us if you are an executive in the medical device or biotech industry and want additional help achieving more success in your career.
Follow me on Twitter @PrimeCoreSearch