In a final guidance document published Oct. 1 by the U.S. Food and Drug Administration, the agency outlines measures it believes medical device manufacturers must take to ensure the safety and security of their tools in the face of growing cyberthreats.
The agency calls on device makers to account for cybersecurity risks during design and creation, and to submit documentation on any risks identified and controls developed to lessen such risks. FDA also says it wants to see manufacturers' plans for patching and updating medical software and operating systems.
"The need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network-connected devices, and the frequent electronic exchange of medical device-related health information," the guidance says.
Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures for the agency's Center for Devices and Radiological Health, reiterates that point in a statement accompanying the guidance, saying that device makers must "remain vigilant" about risks for the sake of patients.
"There is no such thing as a threat-proof medical device," Schwartz says.
Earlier this week, the FDA's device-approval processes came under fire in two articles published in JAMA Internal Medicine.
One article, from the National Center for Health Research, looked for publicly available data used in the 510(k) process, which allows medical devices to go to market faster if they are "substantially equivalent" to devices already being sold. Looking at 50 devices cleared between 2008 and 2012, as well as more than 1,100 previously cleared devices, the study's authors found evidence of equivalence on just 16 percent of new devices and 3 percent of publicly cleared devices.
The second article criticized the effectiveness of post-approval surveillance of approved high-risk devices.
Last week, the FDA announced that it will join forces with the National Health Information Sharing and Analysis Center to foster communication and collaboration on dealing with security vulnerabilities that may impact the safety, effectiveness and security of devices.
Later this month, the FDA plans to hold a public workshop focusing cybersecurity. The workshop will be held in collaboration with stakeholders from the U.S. Department of Health and Human Services and the Department of Homeland Security.
To learn more:
- here's the guidance (.pdf)
- read the accompanying announcement