The Food and Drug Administration (FDA) released new draft guidance for the cybersecurity of medical devices on Wednesday, with a focus on risk management and applying the cybersecurity framework from the National Institute of Standards and Technology (NIST).
“This guidance has been developed by the FDA to assist industry by identifying issues related to cybersecurity that manufacturers should address in the design and development of their medical devices as well as in preparing premarket submissions for those devices,” the agency wrote.
The guidance, which applies to devices and software devices, notes that medical device cybersecurity is a shared responsibility, and device manufacturers can hold up their end of the bargain by taking a risk-based approach to design and development, assess risks and mitigate them throughout the product’s lifecycle, ensure maintenance, and promote the development of trustworthy devices.
FDA recommends that manufacturers distinguish between high risk devices, such as connected devices or ones that could directly cause patient harm, and standard risk devices.
“We recognize that this cybersecurity risk tiering may not track to FDA’s existing statutory device classifications,” the agency noted. “The principles and approaches described in this guidance are broadly applicable to all medical devices and are intended to be consistent with the NIST Framework for Improving Critical Infrastructure Cybersecurity.” The agency recommended clear labeling of cybersecurity risk to inform the end user.
In alignment with NIST’s framework, the guidance calls on manufacturers to identify and protect device assets and functionality, ensure trusted content by maintaining integrity, and maintain confidentiality of data. FDA also recommends that manufacturers build devices that can detect events in a timely fashion, respond and contain the impact of an incident, and recover impaired capabilities.