On October 2, the FDA issued guidance on cybersecurity for medical devices containing software in order “to assist industry by identifying issues related to cybersecurity that manufacturers should consider in the design and development of their medical devices as well as in preparing premarket submissions for those devices.”
Adopting the NIST Cybersecurity Framework’s basic tenets (identify, protect, detect, respond, and recover), the FDA recommends that manufacturers identify potential risks; develop security functions to protect devices; take steps to detect security compromises; provide information about steps to take to respond to a breach; and ensure that users are able to recover the functionality of the device after a breach. In particular, medical devices should be configured to limit access to trusted users only and to ensure trusted content. At the same time, “security controls should not unreasonably hinder access to a device intended to be used during an emergency situation.”
The FDA provides manufacturers with several specific examples of documentation they should provide in premarket submissions (e.g., a traceable matrix linking actual cybersecurity controls to risks considered). The guidance also lists a number of consensus standards relating to information technology and medical device security.