The Food and Drug Administration has put out draft guidance to help medical device makers manage the cyber vulnerabilities of connected pacemakers, insulin pumps and other networked gadgets after they’ve gone to market.
Manufacturers, it says, should create a comprehensive cybersecurity risk management program that stresses ”addressing vulnerabilities which may permit the unauthorized access” to the device or its data by hackers. As part of that program, manufacturers should monitor cybersecurity sources to learn of new risks, share threat information with competitors and adopt coordinated vulnerability disclosure policies and practices. But the agency is seeking input from the private sector on exactly how firms should collaborate.
FDA also says a firm’s risk management program should also align with the the National Institute of Standards and Technology’s voluntary cyber framework, a standard the government developed with the private sector and released nearly two years ago.
“Cybersecurity threats to medical devices are a growing concern,” the agency said in a release. “The exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices.”
The agency also touts the importance of participating in an information sharing analysis organization, known as an ISAO, which brings together companies to share cybersecurity threat information with each other — and with the federal government. The draft guidance said the FDA has entered into a memorandum of understanding with an ISAO called the National Health Information Sharing & Analysis Center, or NH-ISAC, to help create an organization that focuses on protecting medical devices and the surrounding health IT infrastructure. Exactly what the ISAO would look like is still unknown.
“That is something that, at this point, we are welcoming specific public input on,” FDA spokeswoman Angela Stark told FedScoop.
The guidance wouldn’t require manufacturers to get FDA approval to address vulnerabilities “for the majority of cases.” But the agency would need to know about problems that could “compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death.”
At the same time, device makers are encouraged to integrate cybersecurity throughout the product’s life cycle. Indeed, the agency released guidance in 2014 that directs device makers to factor in security concerns from the design stage.
The agency opened public comment on the draft guidance for 90 days and plans to hold a two-day public workshop with NH-ISAC this week on medical device security at its Silver Spring, Maryland, headquarters. The new draft guidance is expected to be a top agenda item.