The U.S. Food and Drug Administration (FDA) has finalized its vendor guidance for the management of cybersecurity in medical devices.
Finalizing a draft issued in June 2013, the guidance aims to help industry by identifying cybersecurity issues that manufacturers should consider in designing and developing their medical devices, as well as in preparing premarket submissions, according to the FDA's Center for Devices and Radiological Health (CDRH).
The FDA noted that manufacturers should develop controls to ensure cybersecurity and maintain the functionality and safety of their medical devices.
"Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats," the FDA wrote in its guidance. "This in turn may have the potential to result in patient illness, injury, or death."
In addition to including design inputs related to cybersecurity in their devices, manufacturers should establish a cybersecurity vulnerability and management approach during software validation and risk analysis, according to the FDA. This should include the following:
- Identification of assets, threats, and vulnerabilities
- Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients
- Assessment of the likelihood of a threat and of a vulnerability being exploited
- Determination of risk levels and suitable mitigation strategies
- Assessment of residual risk and risk acceptance criteria
The FDA also recommends that medical device manufacturers consider five cybersecurity core functions: identify, protect, detect, respond, and recover.
For the full guidance, click here.