The FDA issued a new Draft Guidance today to ensure medical devices - an increasing potential target for hackers - are better protected from unauthorized digital access.

According to the FDA’s draft guidance issued today, “Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the US and globally. Such cyberattacks and exploits can delay diagnoses and/or treatment and may lead to patient harm.”

Under the proposed draft guidance manufacturers will be required to better protect their devices in a more uniform manner as prescribed by the FDA. The new pre-market submission proposals are designed to help guide the industry in designing these digital safety mechanisms from the beginning of product design and development.

The New Guidance covers Premarket Notification (510(k)) submissions (including Traditional, Special, and Abbreviated); De Novo requests; Premarket Approval Applications (PMAs); Product Development Protocols (PDPs) that contain software (including firmware) or programmable logic; as well as software that is a medical device.

While manufacturers are required under Quality System Regulations to establish and maintain procedures for validating the devices design including software validation and risk analysis, FDA is recommending validation include design controls to ensure medical device cybersecurity and maintain medical device safety and effectiveness. Including these design controls may make it easier for FDA to “find your device meets its applicable statutory standard for premarket review.”

The recommendations in the newly released Draft Guidance describe using a more risk-based approach to the design and development of appropriate cybersecurity protections. The FDA wants manufacturers to design programs to follow their devices throughout the device lifecycle, monitor new and potential threats, and issue cybersecurity updates to thwart new attempts at unauthorized digital access of the devices.

Because devices that connect to the internet or wirelessly to other devices pose a new and larger threat to cybersecurity, the FDA is requiring a Cybersecurity Bill of Materials be included in the manufacturers filing to identify key components and accessories that could render the device vulnerable to “hacking”. The FDA is creating a new Tier 1 level of standards for these devices to ensure greater security than Tier 2 devices (those that are not wirelessly or internet connected).

Design controls should include appropriate authorization such as ID’s, passwords, time limited sessions with auto logout, layered authorization (i.e. patient, healthcare professional, technician) should now be used in the design of these devices. Authentication and authorization of critical safety commands will be considered in new submissions. In addition, proper labeling to warn patients and providers of the cyber security risks involved in these devices is essential.

For an updated list of FDA recognized consensus standards the Agency recommends that you refer to the FDA Recognized Consensus Standards Database.

 

 

 

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.