The FDA released a draft of its updated premarket guidance for medical device cybersecurity Oct. 18, adding new recommendations for internet-connected products.
The guidance, which was last updated in 2014, outlines information medical device manufacturers should gather when submitting information to the agency for premarket review. The recommendations primarily relate to how manufacturers should assess cybersecurity in the development and review of their medical device products to identify issues as quickly as possible.
One major update to the guidance involves asking manufacturers of internet-connected medical devices to provide its customers with a "cybersecurity bill of materials," or a list of commercial and off-the-shelf software and hardware components in a device that could be susceptible to vulnerabilities, such as the operating system the product runs on.
"The need for effective cybersecurity to ensure medical device functionality and safety has become more important with the increasing use of wireless, internet- and network- connected devices, portable media (e.g. USB or CD), and the frequent electronic exchange of medical device-related health information," the guidance reads.
The updated guidance is one of a few medical device security initiatives the FDA is working on in October. Early in the month, FDA Commissioner Scott Gottlieb, MD, highlighted various steps the agency was taking to strengthen its cybersecurity program, including revising its guidance and developing a "playbook" to help hospitals with cybersecurity readiness for medical devices.
The FDA emphasized the updated guidance in its draft form is being distributed for industry stakeholders to provide feedback on. The agency will accept comments on the guidance for the next 150 days.
To download the FDA's draft guidance, click here.