FDA clarifies cybersecurity recommendations for device makers in … – MedTech Dive




The new cybersecurity guidance would replace a previous draft guidance from 2018, and is intended to emphasize the importance of ensuring that devices are designed securely, an FDA spokesperson wrote in an email. 
It’s also intended to help mitigate cybersecurity risks throughout the entire lifecycle of a product, and more clearly outline the FDA’s recommendations for premarket submissions around cybersecurity. 
Previously, the FDA had written a guidance in 2014 for its expectations for premarket submissions, and two years later, one on postmarket management of cybersecurity in medical devices. 
“However, the rapidly evolving landscape, an increased understanding of emerging threats, and the need for capable deployment of mitigations throughout the total product lifecycle (TPLC) warrants an updated, iterative approach to device cybersecurity,” the agency noted in the new guidance. 
Per the new guidance, design and documentation in submissions is expected to scale with the cybersecurity risk of a device. For instance, the FDA gave the example of a thermometer: A simple, non-connected thermometer would have limited security risks, and only need a limited security architecture. However, if the thermometer was used as part of a safety-critical control loop, or was connected to other networks or devices, then more substantial design controls and documentation should be submitted as part of the premarket submission. 
The FDA also recommends that device manufacturers include documentation of their security architecture in submissions, as well as metrics on their processes for identifying and patching vulnerabilities. At minimum, manufacturers should report the percentage of identified vulnerabilities that are updated or patched, the time from vulnerability identification to update or patch, and the time from when an update or patch is available to complete implementation in devices deployed in the field. 
The agency has been seeking more authority to require medical device companies increase cybersecurity information upfront as part of a premarket submission, including a Software Bill of Materials and the capability to update and patch device security into a product’s design. The agency also wants to be able to require timely updates and patches for legacy devices, CDRH’s Acting Director for Medical Device Cybersecurity Kevin Fu told MedTech Dive last year.
A piece of proposed legislation, the Protecting and Transforming Cyber Health Care (PATCH) Act, would expand security requirements for device manufacturers and introduce requirements for them to monitor and address postmarket cybersecurity vulnerabilities. The bipartisan bill, sponsored by Sens. Tammy Baldwin, D-Wisc., and Bill Cassidy, R-La., was recently introduced in the Senate and there is companion legislation in the House of Representatives.
Get the free daily newsletter read by industry experts
Analysts at Rock Health said “the market isn’t the same as it was” after seeing a sharp drop in late-stage deals.
Many ASCs are looking for cashless options to get capital equipment as they offset the cost of new buildings, Zimmer Biomet COO Ivan Tornos said.
Subscribe to MedTech Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Analysts at Rock Health said “the market isn’t the same as it was” after seeing a sharp drop in late-stage deals.
Many ASCs are looking for cashless options to get capital equipment as they offset the cost of new buildings, Zimmer Biomet COO Ivan Tornos said.
The free newsletter covering the top industry headlines

source


CyberTelugu

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page