FDA Draft: Postmarket Management of Cybersecurity in Medical Devices

The FDA recently released new guidance for managing cybersecurity in medical devices. The guidance emphasizes the manufacturers need to monitor, identify, and address cybersecurity vulnerabilities and exploits. This document is guidance and does not establish legally enforceable responsibilities.

Cybersecurity is essential to our health.
Through this document as well as the premarket cybersecurity guidance, the FDA encourages the use of the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The cybersecurity framework core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. These five elements should be included in the manufacturer’s cybersecurity risk management program.

The manufacturer, working with the stakeholders can greatly enhance the security of medical devices by implementing a comprehensive cybersecurity framework. This framework should include timely mitigation of identified vulnerabilities and exploits.

Learn more about cybersecurity training for healthcare here by reading chapter 3 in Protecting Our Future (Vol 1).

FDA (2016, January, 22). Postmarket Management Cybersecurity in Medical Devices: Draft Guidance for Industry and Food and Drug Administration Staff. Retrieved from http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf