FDA updates medical device premarket guidance to include cybersecurity recommendations

Medical device surgeon
New FDA guidance recommends device manufacturers include a "bill of materials" to assist with cybersecurity. (Getty/A stockphoto)

Updated guidance issued by the Food and Drug Administration on Wednesday includes several new cybersecurity recommendations for medical devices.

Among those changes, the FDA is asking manufacturers to include a list of hardware and software components within each device—known as a “bill of materials”—that could be susceptible to a cyberattack.

Earlier this month, FDA Commissioner Scott Gottlieb, M.D., hinted that an update would be coming as part of a broader effort to address what has become a growing concern for the agency. In an increasingly connected healthcare environment, legacy devices have been pegged as a weak link in the ecosystem.

Featured Webinar

Patient experience and the bottom-line impact on a practice

Practices that deliver exceptional experience often demonstrate strong financial performance and efficient operations. Join us to learn how to identify the most impactful connections between patient experience and financial performance, how to measure, track and improve patient experience as it relates to the bottom line, and identify patient experience measures that affect financial performance.

The agency will host a public workshop in January for stakeholders to comment on the updated draft guidelines. Gottlieb said the updates will “better protect their products against different types of cybersecurity risks, from ransomware to a catastrophic attack on a health system.”

“This is part of the total product lifecycle approach to device safety, in which manufacturers must adequately address device cybersecurity from the design phase through the device’s time on the market to help ensure patients are protected from cybersecurity threats,” he said in a statement.

The update comes a day after the agency signed an agreement with the Department of Homeland Security to coordinate better information sharing between the two agencies regarding potential threats to medical devices and build “enhanced mutual awareness” for better response coordination.

RELATED: FDA wants to create a ‘go-team’ for medical device cybersecurity

The agreement formalizes an existing cybersecurity relationship between the two agencies. DHS maintain its role as the central hub for device vulnerability coordination through its National Cybersecurity and Communications Integration Center, and the FDA will support those efforts by advising DHS on potential risks of patient harm.

Earlier this month, the FDA issued guidance to health systems to help prepare for a potential cyberattack on connected medical devices. Cybersecurity experts have pushed for medical device manufacturers to include a “bill of materials” to assist hospitals with that effort.

Without that information, “it’s a black box and it’s a black box they can’t touch,” Julie Connolly, a principal cybersecurity engineer with MITRE, told FierceHealthcare earlier this month.

Suggested Articles

The COVID-19 pandemic is driving enormous demand for virtual mental health care services. Here is how much utilization has increased during COVID-19.

The Trump administration has updated its reporting requirements for COVID-19 provider relief funds following pushback.

Ambulatory EHR provider NextGen Healthcare saw its quarterly revenue grew 4% to $140 million and earnings topped Wall Street projections.