Amid rising cyberattacks on healthcare systems, the Food and Drug Administration (FDA) is urging medical device makers to build cybersecurity into devices from the start as part of new guidance that outlines protections across the entire product lifecycle.
The latest guidance comes on the tail of surges in cyberattacks against hospitals, medical facilities, and health-related industries across the United States.
“With the increasing integration of wireless, Internet- and network-connected capabilities, portable media … and the frequent electronic exchange of medical device related health information and other information, the need for robust cybersecurity controls to ensure medical device safety and effectiveness has become more important,” FDA said.
“Cyber incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the U.S. and globally,” the agency added. “Such cyber incidents and exploits may lead to patient harm as a result of clinical hazards, such as delay in diagnoses and/or treatment.”
While the guidance covers a variety of medical systems and devices, it also deals with what the agency referred to as “cyber devices” which enable internet connectivity.
Those devices are legally required to have timely documentation of their cybersecurity vulnerabilities and exploitations; be designed to maintain cybersecurity processes; and provide a software bill of materials.
Additional voluntary guidance for cyber devices includes using a secure product development framework, performing continuous security risk management, performing threat modeling, conducting cybersecurity risk assessments, creating performance metrics, and addressing potential risks from third-party software.
Under the new guidance, manufacturers – for all devices and systems – are expected to embed security into their product development process as part of broader quality system regulation. Device makers must also submit cybersecurity documentation that scales with the risk a device poses, not just its technical complexity.
“Cybersecurity risks evolve over time and as a result, the effectiveness of cybersecurity controls may degrade as new risks, threats, and attack methods emerge,” said FDA.
The FDA stressed transparency standards, saying that manufacturers should provide users with cybersecurity-related information such as software bill materials, update procedures, and known risks.
Other controls encouraged by FDA include multi-factor authentication, encrypted communications, and documenting security events.