The U.S. Food and Drug Administration has issued new draft guidance on postmarket cybersecurity of medical devices.
It follows up on previous guidance published in October 2014 outlining how medical devicemakers should address cybersecurity risks in the pre-market design of their products. IEEE Cybersecurity Initiative also published guidance on medical device security during software development.
However, "because cybersecurity risks to medical devices are continually evolving, it is not possible to completely mitigate risks through premarket controls alone," the FDA says.
It says it's essential that manufacturers implement comprehensive cybersecurity risk management programs and documentation that includes complaint handling, quality audit, corrective and preventive action, risk analysis and more. It urges manufacturers to address cybersecurity throughout the product lifecycle.
The guidance reiterates that routine updates and patches generally do not require FDA approval, a stance some vendors have been taking.
The FDA also "strongly recommends" that manufacturers participate in cybersecurity Information Sharing and Analysis Organizations to keep abreast of vulnerabilities and threats across multiple sectors.
"To manage postmarket cybersecurity risks for medical devices, a company should have a structured and systematic approach to risk management and quality management systems," the guidance states.
Independent security researcher Billy Rios, who has been among those highly critical of the FDA's cybersecurity oversight of devices, told HealthcareInfoSecurity the guidance lays out steps manufacturers should have been doing all along.
To learn more:
- here's the guidance (.pdf)