FDA wants more cyber protection for medical devices
New draft guidance from the Food and Drug Administration lays out steps the regulatory agency wants medical device manufacturers to address to reduce cybersecurity risks to the devices.
The FDA cites a growing concern to the safety of medical devices, yet regulators themselves are under fire after Arxan Technologies, a vendor of anti-tamper protection software, in a study found that 84 percent of mHealth apps tested did not adequately address at least two of the Open Web Application Security Project Mobile Top 10 Risks, Health Data Management recently reported.
The draft guidance with a 90-day comment period follows an FDA warning in November 2015 of cyber threats to networked medical devices. The agency contended then that security vulnerabilities could permit hackers to access hospital networks and put patients safety and their protected health information at risk. And, in July 2015, the FDA warned of serious cyber vulnerabilities for a particular infusion pump—the Symbiq Infusion System from Hospira, advising facilities to disconnect the pumps from their network.
In the new guidance for medical device manufactures, FDA notes threats that can arise with devices undergo maintenance. “While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats means risks may arise throughout a device’s entire lifecycle.”
The guidance also calls for information sharing with public and private entities by device manufacturers via an Information Sharing Analysis Organization, as well as applying the voluntary “Framework for Improving Critical Infrastructure Cybersecurity” document of the National Institute of Standards and Technology.
The new guidance for medical devices manufacturers is available here.