FDA Guidance on Postmarket Management of Cybersecurity in Medical Devices

• By: Staff Editor
• Date: February 16, 2017
• Source: http://www.fda.gov/

FDA Guidance on Postmarket Management of Cybersecurity in Medical Devices

The significant technological advancements in medical device in today’s world has laterally increased the risk of cybersecurity breaches that could affect device’s performance and functionality. Hence, medical device manufacturers are required to consider cybersecurity throughout the product lifecycle, including during the research and development, design, production, distribution, and maintenance of the device.

The US FDA recently issued the guidance that offers recommendations for handling postmarket cybersecurity vulnerabilities for the medical devices. This guidance is applicable to any marketed medical device including:

• Devices that have software (including firmware) or programmable logic.
• Software that is a medical device, including mobile medical applications.
• Devices that are considered as a part of an interoperable system.
• Legacy devices that is medical devices that are already on the market or in use.

Overview of Requirements

The guidance highlights that device manufacturers should monitor, identify, and address cybersecurity threats and exploits as part of their postmarket management activities of devices.

The key areas addressed in the guidance are:

• General principles including premarket and postmarket considerations, maintaining safety and essential performance.
• Medical device cybersecurity risk management program that focus on assessing exploitability of the cybersecurity vulnerability, measuring severity of patient harm and evaluation of risk of patient harm.
• Remediating and reporting cybersecurity vulnerabilities including specific suggestions for managing controlled risks of patient harm and uncontrolled risk to safety and essential performance.
• Recommended content to be included in premarket approval (PMA) periodic reports.
• Criteria for defining active participation by a manufacturer in an Information Sharing Analysis Organizations (ISAO).

The guidance further clarifies elements of an effective postmarket cybersecurity program including identification, protection, and risk mitigation of safety and essential performance for improving critical infrastructure cybersecurity.