Fda Clarifies Cybersecurity Recommendations For Device Makers In New Guidance – Medtech Dive

FDA clarifies cybersecurity recommendations for device makers in new guidance – MedTech Dive

The new cybersecurity guidance would replace a previous draft guidance from 2018, and is intended to emphasize the importance of ensuring that devices are designed securely, an FDA spokesperson wrote in an email. 
It’s also intended to help mitigate cybersecurity risks throughout the entire lifecycle of a product, and more clearly outline the FDA’s recommendations for premarket submissions around cybersecurity. 
Previously, the FDA had written a guidance in 2014 for its expectations for premarket submissions, and two years later, one on postmarket management of cybersecurity in medical devices. 
“However, the rapidly evolving landscape, an increased understanding of emerging threats, and the need for capable deployment of mitigations throughout the total product lifecycle (TPLC) warrants an updated, iterative approach to device cybersecurity,” the agency noted in the new guidance. 
Per the new guidance, design and documentation in submissions is expected to scale with the cybersecurity risk of a device. For instance, the FDA gave the example of a thermometer: A simple, non-connected thermometer would have limited security risks, and only need a limited security architecture. However, if the thermometer was used as part of a safety-critical control loop, or was connected to other networks or devices, then more substantial design controls and documentation should be submitted as part of the premarket submission. 
The FDA also recommends that device manufacturers include documentation of their security architecture in submissions, as well as metrics on their processes for identifying and patching vulnerabilities. At minimum, manufacturers should report the percentage of identified vulnerabilities that are updated or patched, the time from vulnerability identification to update or patch, and the time from when an update or patch is available to complete implementation in devices deployed in the field. 
The agency has been seeking more authority to require medical device companies increase cybersecurity information upfront as part of a premarket submission, including a Software Bill of Materials and the capability to update and patch device security into a product’s design. The agency also wants to be able to require timely updates and patches for legacy devices, CDRH’s Acting Director for Medical Device Cybersecurity Kevin Fu told MedTech Dive last year.
A piece of proposed legislation, the Protecting and Transforming Cyber Health Care (PATCH) Act, would expand security requirements for device manufacturers and introduce requirements for them to monitor and address postmarket cybersecurity vulnerabilities. The bipartisan bill, sponsored by Sens. Tammy Baldwin, D-Wisc., and Bill Cassidy, R-La., was recently introduced in the Senate and there is companion legislation in the House of Representatives.
Get the free daily newsletter read by industry experts
As it's typically safer to discontinue the use of a drug than an implant, it "might be reasonable" to hold some devices to higher standards, suggests Ariel Wampler, author and plastic and reconstructive surgery physician.
The pump has a higher rate of malfunction reports than rivals, according to an ECRI analysis of the FDA's MAUDE database. But it's hard to draw conclusions from a disparate system of safety reporting.
Subscribe to MedTech Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
As it's typically safer to discontinue the use of a drug than an implant, it "might be reasonable" to hold some devices to higher standards, suggests Ariel Wampler, author and plastic and reconstructive surgery physician.
The pump has a higher rate of malfunction reports than rivals, according to an ECRI analysis of the FDA's MAUDE database. But it's hard to draw conclusions from a disparate system of safety reporting.
The free newsletter covering the top industry headlines

source

Leave a Comment

Leave a Reply

Your email address will not be published.

PreVeil Update: Cyber AB Enables Voluntary Assessments with Release of Draft CMMC Assessment Process (CAP) – Security Boulevard

Audit of federal dollars in Washington state reviews pandemic-related spike in spending – Office of the Washington State Auditor – WA.gov

ConnectWise Announces Finalists for 2022 'PitchIT Accelerator Program' – StreetInsider.com

Cybersecurity and Integration are Top IT Priorities – Channel Insider