The U.S. Food and Drug Administration (FDA) recently released draft guidance related to cybersecurity measures for medical devices. The guidance offers a roadmap for medical device manufacturers to assess risks to devices they create throughout the devices’ lifespans. This framework includes examining the potential threats and vulnerabilities to the functionality of a device in the pre-market phase and monitoring known risks and identifying new risks when a device is post-market.
Because a cybersecurity incident involving a medical device could have a life-threatening impact on the user, the FDA suggests manufacturers use a threefold approach to risk management. In particular, the FDA notes the risk management plan should assess the exploitability of the vulnerability; examine the severity of the potential impact on the user’s health; and evaluate the risk to the device’s essential clinical performance. For the latter, the FDA recommends determining whether the risk is controlled and presents a sufficiently low risk that the vulnerability will affect the device’s ability to be free from unacceptable clinical risk, or uncontrolled, which may prompt the manufacturer to take additional actions to protect the user.
TIP: Businesses involved in the manufacture of medical devices can review the guidance to understand the FDA’s expectations surrounding cybersecurity best practices.