The U.S. Food and Drug Administration recommends that cybersecurity measures become an inherent part of medical device design and development in the recently released final guidance for device manufacturers on cybersecurity risk management.
“There is no such thing as a threat-proof medical device,” Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures at the Center for Devices and Radiological Health, said Wednesday.
“It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”
The “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” document also requires device manufacturers to provide FDA with information on their established security controls to mitigate identified risks and plans to manage updates for medical software, FDA said.
Potential cybersecurity risks include malware infections on devices used to access medical records, password distribution and infrequent software updates and patches.
The agency noted that security vulnerabilities to medical devices can affect delivery of health services and the effectiveness and safety of the devices used.
FDA said it will hold a workshop later this year to discuss potential collaborative work between government, health facilities, cybersecurity professionals and the medical device industry to further address cybersecurity concerns.