FDA updates medical device premarket guidance to include cybersecurity recommendations

Medical device surgeon
New FDA guidance recommends device manufacturers include a "bill of materials" to assist with cybersecurity. (Getty/A stockphoto)

Updated guidance issued by the Food and Drug Administration on Wednesday includes several new cybersecurity recommendations for medical devices.

Among those changes, the FDA is asking manufacturers to include a list of hardware and software components within each device—known as a “bill of materials”—that could be susceptible to a cyberattack.

Earlier this month, FDA Commissioner Scott Gottlieb, M.D., hinted that an update would be coming as part of a broader effort to address what has become a growing concern for the agency. In an increasingly connected healthcare environment, legacy devices have been pegged as a weak link in the ecosystem.

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

The agency will host a public workshop in January for stakeholders to comment on the updated draft guidelines. Gottlieb said the updates will “better protect their products against different types of cybersecurity risks, from ransomware to a catastrophic attack on a health system.”

“This is part of the total product lifecycle approach to device safety, in which manufacturers must adequately address device cybersecurity from the design phase through the device’s time on the market to help ensure patients are protected from cybersecurity threats,” he said in a statement.

The update comes a day after the agency signed an agreement with the Department of Homeland Security to coordinate better information sharing between the two agencies regarding potential threats to medical devices and build “enhanced mutual awareness” for better response coordination.

RELATED: FDA wants to create a ‘go-team’ for medical device cybersecurity

The agreement formalizes an existing cybersecurity relationship between the two agencies. DHS maintain its role as the central hub for device vulnerability coordination through its National Cybersecurity and Communications Integration Center, and the FDA will support those efforts by advising DHS on potential risks of patient harm.

Earlier this month, the FDA issued guidance to health systems to help prepare for a potential cyberattack on connected medical devices. Cybersecurity experts have pushed for medical device manufacturers to include a “bill of materials” to assist hospitals with that effort.

Without that information, “it’s a black box and it’s a black box they can’t touch,” Julie Connolly, a principal cybersecurity engineer with MITRE, told FierceHealthcare earlier this month.

Suggested Articles

Ohio-based University Hospitals is planning a $200 million expansion of its UH Ahuja Medical Center and expects to add 1,000 new jobs as a result of the…

Duke University has settled a whistleblower lawsuit alleging researchers falsified data to obtain federal grant funding.

When Providence St. Joseph Health’s chief digital officer hosted a Reddit “Ask Me Anything” forum a week ago, he got more than he bargained for.