The FDA has released a draft guidance for companies that make connected medical devices, advising them of steps that should be taken to deal with cybersecurity risks. The guidance concerns medical devices that connect to a facility’s network, and comes at a time when an increasing number of companies — medical and otherwise — have been hit with massive data breaches.
This draft guidance covers a variety of topics for manufacturers of such devices, including recommendations for monitoring for and identifying cybersecurity threats, as well as addressing vulnerabilities that could allow such threats to be effective.
It isn’t enough for manufacturers to create secure devices, as well. The FDA points out that cybersecurity needs to be ongoing, as “cyber threats … may arise throughout” the entire life of the device. As such, manufacturers must also keep in mind the need to update and protect existing devices on the market.
In most cases, such risk management will involve routines patches and updates that companies can release without notifying the FDA.
Said the FDA’s Suzanne Schwartz, MD:
Today’s draft guidance will build on the FDA’s existing efforts to safeguard patients from cyber threats by recommending medical device manufacturers continue to monitor and address cybersecurity issues while their product is on the market.