The U.S. Food and Drug Administration (“FDA”) released updated draft guidelines on how medical device manufacturers should protect against data breaches and viruses prior to marketing their products. The new draft, once finalized, will replace the agency’s 2014 guidance on the subject.
As indicated in its October 18 draft, the FDA’s modifications to its premarket cybersecurity guidance are intended to reflect the current threat landscape. The FDA’s new recommendations touch on device design, labeling, and documentation included in premarket submissions for agency approval. FDA hopes that manufacturers can proactively address possible cyber concerns when developing, designing, and ultimately marketing their medical devices. In addition, the guidance recommends that manufacturers prepare a “cybersecurity bill of materials,” a list of commercial, open source, and off-the-shelf software and hardware components included in devices. According to the FDA, this information will better enable users (patients, providers, and healthcare delivery organizations) to effectively manage their devices, understand the potential impact of vulnerabilities, and deploy appropriate countermeasures.
As part of its guidance, the FDA created two tiers of medical devices based on the cybersecurity risks associated with the specific products. Tier 1 products, those deemed a “higher security risk,” include devices capable of connecting to another medical or non-medical product, or to a network or the internet, either wired or wirelessly. These types of devices—i.e. defibrillators, pacemakers, insulin pumps, and the support systems that interact with these them—are so classified because an incident affecting the device could result in direct harm to patients. Tier 2 devices, those with “standard cybersecurity risk,” are products that do not qualify for Tier 1 status.
FDA will conduct a public workshop for affected stakeholders on January 29-30, 2019 to discuss the draft guidance before it is finalized. Medical device manufacturers are also reminded of the FDA’s post-market guidance, released in 2016, which includes recommendations for maintaining the cybersecurity of network-connected devices once in use.