Emerging technologies are generating great advancements in the healthcare industry. Yet, as these technologies enter the marketplace, they also generate potentially unprecedented cybersecurity threats for their consumers. Protecting consumers from these threats now requires manufacturers to identify and mitigate potential threats throughout a product’s life cycle. To assist in mitigating new and emerging threats, the FDA has released final guidance on both pre- and post-market management of medical devices focusing on cybersecurity.
Why would the FDA consider this topic relevant?
New technologies have emerged enabling medical devices to connect to hospital networks, consumer home networks and WIFI. Some devices are even capable of transmitting data wirelessly to healthcare providers. The benefits of such capabilities are undisputed; however, these technological advances have the potential for cybersecurity breaches. Breaches which could ultimately put individual’s and healthcare networks at risk or put the medical device’s performance in jeopardy.
The FDA recognizes these threats are real and realizes the best way to combat them is to have manufacturers incorporate cybersecurity controls in the design and development of medical devices to ensure the devices continue to perform as designed. The FDA’s guidance provides an outline of steps the FDA recommends manufacturers be vigilant and address medical device’s cybersecurity risks. Their guidance focuses on device manufacturers implementing a structured and comprehensive cybersecurity program to manage risks and recommends manufacturers:
Have methods to detect and monitor cybersecurity vulnerabilities in their devices.
Detect and assess the level of risk a device vulnerability poses to safety.
Establish working relationships with cybersecurity researchers to stay abreast of potential vulnerabilities.
Deploy mitigations to address cybersecurity issues before they can cause harm.
The FDA recognizes that innovations and features designed to improve health care can increase cybersecurity risks. Thus, their final guidance on pre-and post-market medical devices are designed to recognize innovation while enforcing the need for cybersecurity protocols to protect consumers.