FDA Releases Updated Draft of Cybersecurity Guidance for Medical Device Manufacturers
On April 8, the U.S. Food and Drug Administration released updated cybersecurity guidance for medical device manufacturers.
According to the new guidance, “cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across health care facilities in the U.S.”
The nearly 50-page draft provides updated guidance for medical device manufacturers to better understand the total product lifecycle of new and legacy devices.
“Cybersecurity risks evolve over time and as a result, the effectiveness of cybersecurity controls may degrade as new risks, threats, and attack methods emerge,” writes the FDA in the document.
The draft of the guidance comes as the U.S. Cybersecurity and Infrastructure Security Agency has been issuing warnings that the Russian invasion of Ukraine may increase the risk of cyberattacks in the U.S. health system.
The guidance draft also follows recent efforts from Sens. Bill Cassidy, R- La., and Tammy Baldwin, D-Wis., to increase cybersecurity for medical devices through the Protecting and Transforming Cyber Health Care Act.
If the PATCH Act is passed, medical devices will not get FDA approval without meeting specific cybersecurity requirements.
Each device, prior to submission to the FDA, would also have to include documents like a Software Bill of Materials and a Coordinated Vulnerability Disclosure, which can make it easier to identify vulnerabilities that affect the device.
Manufacturers would also be required to develop a plan for monitoring, identifying and addressing post-market cybersecurity vulnerabilities.
Alexa can be reached at [email protected]