Last month, the U.S. Food and Drug Administration issued its final guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” Those guidelines make non-binding recommendations on the cybersecurity issues medical device manufacturers should consider in developing new devices. The guidelines also address the processes medical device manufacturers should follow in evaluating and seeking to mitigate cybersecurity risks and the documentation they should submit to the FDA in seeking approval of new devices.
The FDA’s guidance is in response to the growing recognition that the connectivity medical devices have through the internet, networks and USB ports makes them vulnerable. While that connectivity improves patient care, it also creates cybersecurity risks, including the risk of patient harm.
The FDA’s guidance is relevant not only to the manufacturers of new medical devices, but also to hospitals and others which currently use medical devices that have internet, network or other connectivity. The guidelines expressly state that they do not create “legally enforceable responsibilities.” However, they may well contribute to the establishment of a standard of care for such users in evaluating the security of current devices and whether software updates and other risk mitigation measures are recommended for such devices.
A copy of the Cyber Security Guidance issued by the FDA can be found here.