The FDA dug into some of the details of its final guidance on medical device security in a webinar yesterday, explaining the organization’s approach to cybersecurity and risk assessment.
The agency published its final guidance on the postmarket management of cybersecurity threats in medical devices late last month. The recommendations apply to medical devices that use software, including programmable logic and software that is regulated as a medical device, including mobile medical apps.
Organizations should implement a proactive, comprehensive risk management program, starting with applying the National Institute of Standards and Technology (NIST) Framework to Strengthen Critical Infrastructure Cybersecurity, according to the presentation (PDF).
The updated draft guidelines the NIST released this week include specific updates about cybersecurity metrics, considerations for supply chain risk management and common terminology used to communicate with outside partners and vendors.
According to the FDA, organizations should:
- Establish and communicate processes for vulnerability intake and handling
- Adopt a coordinated disclosure policy and practice
- Deploy mitigations that address cybersecurity risk early and prior to exploitation
- Engage in collaborative information sharing for cyber vulnerabilities and threats