FDA Draft Guidance on Cybersecurity in Medical Devices

The U.S. Food and Drug Administration (FDA) recently issued draft guidance on how medical device manufacturers should address cybersecurity threats (81 Fed. Reg. 3803, 1/22/16). The draft guidance proposes that manufacturers “implement a structured and systematic comprehensive cybersecurity risk management program and respond in a timely fashion to identified vulnerabilities.” Such programs should include applying the National Institute of Standards and Technology 2014 voluntary Framework for Improving Critical Infrastructure Cybersecurity program; monitoring cybersecurity information sources; detecting and assessing vulnerabilities; establishing processes for intake and handling of vulnerabilities; clearly defining “essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk”; adopting a coordinated vulnerability disclosure policy; and “deploying mitigations that address cybersecurity risk early and prior to exploitation.” Comment on the draft guidance will be received until April 21, 2016. For additional information, see the FDA press announcement and FDA Medical Devices – Guidance Documents page.