On October 1, 2014, the Food and Drug Administration (“FDA”) announced that it has issued final guidance regarding cybersecurity in medical devices, entitled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (the “Guidance”). The Guidance provides recommendations to device manufacturers for content “to include in FDA medical device premarket submissions for effective cybersecurity management.” The Guidance updates a draft guidance that was originally published in June 2013.
The announcement of the Guidance noted a number of concerns the FDA has about the security of medical devices, including malware infections, unsecured passwords, inconsistent use of security software updates and patches, and security vulnerabilities in off-the-shelf software for medical devices.
The Guidance recommends that device manufacturers consider the following cybersecurity framework core functions:
- Identify – assessing the type of cybersecurity vulnerabilities for a specific device depending on its intended use and environment;
- Protect – securing the device by limiting access to authenticated users and ensuring trusted content on the device;
- Detect – implementing features that allow for security compromises to be detected;
- Respond – providing information to the user of the device to respond to a cybersecurity event; and
- Recover – providing methods that allow an authenticated user to recover the information on the device.
In announcing the guidance, Suzanne Schwartz, the Director of Emergency Preparedness, Operations and Medical Countermeasures at the FDA’s Center for Devices and Radiological Health, stated that while it was impossible to create a “threat-proof medical device,” it is critical for medical device manufacturers “to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”