On June 14, the FDA issued two documents on cybersecurity. One was a draft guidance for manufactures on what they should consider as part of their design process, and what would be recommended to be provided to the FDA as part of a 510(k), PMA, or related before market submission. Although aimed at manufacturers, this draft has some implications for hospitals and service, especially with respect to the concept of various levels of authorized users, including who can do authorized downloads. The FDA’s suggested security measures for manufacturers to consider might also be adopted as device selection criteria, including asking manufacturers the same questions that the FDA is looking forward to asking them. The release of the draft guidance opened a 90-day comment period, after which the FDA can issue a final guidance, revise the draft, withdraw the draft, or do nothing.
The second document is a safety communication called “Cybersecurity for Medical Devices and Hospital Networks.” It addresses both manufacturers and hospitals. This document focuses on cyberattacks, as opposed to the more general issues in the draft guidance, although there is substantial overlap in concepts between the two documents. The safety communication covers a variety of vulnerabilities, such as malware that can both disable devices and access patient information; password issues for technical and maintenance personnel; failure to provide timely security updates and patches to devices and networks; and off-the-shelf security issues. The FDA reminds manufacturers that they are responsible for identifying risks and hazards associated with their medical devices, and providing appropriate mitigations. This parallels the expectations in the draft guidance.
For hospitals, the safety communication recommends what should now be familiar steps to address device and network security. These include restricting access, keeping technical security measures up to date, monitoring the network, and having workaround strategies for when things go bad. Interestingly, there is no mention of 80001.
The safety communication also reminds us about adverse event reporting, whether through mandatory MDRs from manufacturers and covered facilities, or through voluntary reporting of other events or from entities not subject to MDR.
There is nothing very new conceptually in these documents and no one should really be surprised by the content of the FDA’s observations and suggestions. None the less, another reminder can’t hurt, and it might spur those that haven’t been paying attention–although the people not paying attention probably don’t pay attention to FDA documents either.
William Hyman, ScD, is professor emeritus of biomedical engineering at Texas A&M University. He now lives in New York where he is adjunct professor of biomedical engineering at The Cooper Union. Hyman may be contacted at firstname.lastname@example.org.