Updated guidance issued by the Food and Drug Administration on Wednesday includes several new cybersecurity recommendations for medical devices.
Among those changes, the FDA is asking manufacturers to include a list of hardware and software components within each device—known as a “bill of materials”—that could be susceptible to a cyberattack.
Earlier this month, FDA Commissioner Scott Gottlieb, M.D., hinted that an update would be coming as part of a broader effort to address what has become a growing concern for the agency. In an increasingly connected healthcare environment, legacy devices have been pegged as a weak link in the ecosystem.
Because of the rapidly evolving nature of cyber threats, we updated our 2014 cybersecurity guidance to reflect the current threat landscape so that manufacturers can be in the best position to proactively address concerns when they are designing and developing their devices— Scott Gottlieb, M.D. (@SGottliebFDA) October 17, 2018
The agency will host a public workshop in January for stakeholders to comment on the updated draft guidelines. Gottlieb said the updates will “better protect their products against different types of cybersecurity risks, from ransomware to a catastrophic attack on a health system.”
“This is part of the total product lifecycle approach to device safety, in which manufacturers must adequately address device cybersecurity from the design phase through the device’s time on the market to help ensure patients are protected from cybersecurity threats,” he said in a statement.
The update comes a day after the agency signed an agreement with the Department of Homeland Security to coordinate better information sharing between the two agencies regarding potential threats to medical devices and build “enhanced mutual awareness” for better response coordination.
The agreement formalizes an existing cybersecurity relationship between the two agencies. DHS maintain its role as the central hub for device vulnerability coordination through its National Cybersecurity and Communications Integration Center, and the FDA will support those efforts by advising DHS on potential risks of patient harm.
Earlier this month, the FDA issued guidance to health systems to help prepare for a potential cyberattack on connected medical devices. Cybersecurity experts have pushed for medical device manufacturers to include a “bill of materials” to assist hospitals with that effort.
Without that information, “it’s a black box and it’s a black box they can’t touch,” Julie Connolly, a principal cybersecurity engineer with MITRE, told FierceHealthcare earlier this month.