Earlier this year, the FDA released guidance for Postmarket Management of Cybersecurity in Medical Devices. While many agree that the recommendations will help guide developers and manufacturers, these are still "non-binding" and are simply recommendations, not requirements. With the stakes being so high and the continued growth of cyber threats, if and when will the FDA begin mandating these recommendations?
To give you an overview, here's a brief summary of key FDA regulatory recommendations for securing medical devices.
Manufacturers of medical devices should establish a cybersecurity policy that addresses risks and vulnerabilities associated with medical devices. The cybersecurity policy should address the following items:
- A risk assessment identifying assets, threats, and vulnerabilities. The risk assessment should assess the likelihood of a vulnerability occurring (or exploitation of a vulnerability occurring) and the organizational impact of a vulnerability
- Inherent risk associated with the medical device
- Residual risk after consideration of cybersecurity controls in place
- Management’s acceptance of risk
- Assessment of patient harm in a malicious attack of the medical device
Cybersecurity policies for medical devices should address unauthorized access, changes made to medical device, unauthorized use, and denial of use (failed logins). Controls for medical devices should be established to address the following:
- Monitoring and detecting of risks and vulnerabilities
- Validating software updates
- Incident response procedures in the occurrence of a cybersecurity event
- Recovery procedures in the occurrence of a cybersecurity event
- Communication and disclosure procedures in the occurrence of a cybersecurity event
While we all agree that these recommendations do guide medical device companies in the right direction, the stakes are growing higher and the risks are very real. So what can you be doing to secure your organization?
Be anticipatory. We are urging our clients to become more anticipatory and begin moving these recommendations into requirements for their organization over the next 12 to 18 months. It is only a matter of time before the FDA begins requiring security features and processes be built in so why wait? You can't afford to put your reputation and organization at risk any longer.
Be prepared. Sit down with a security professional to better understand what policies and procedures you should have in place to best protect your end users and mitigate your cyber risks.
For weekly insights into cybersecurity, please sign up here: