October 04, 2018

FDA Addresses Medical Device Cybersecurity Preparedness

Food and Drug Administration (FDA) Commissioner Scott Gottlieb, MD announced on October 1, 2018, the availability of a “Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.”

The non-binding informational resource was drafted by the MITRE Corporation with support from FDA and builds upon activities described in the agency’s April 2018 Medical Device Safety Action Plan.

The playbook provides various recommendations for health care delivery organizations on how to train and prepare for cybersecurity incidents involving networked medical devices and how to develop an effective communications and response framework for such devices. It suggests roles and coordination activities for various key stakeholders, including medical device manufacturers needed for developing mitigations.

The FDA also discussed the agency’s planned update of the 2014 guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.”

The future revision will highlight the agency’s recommendation that manufacturers provide customers with a list of software components (i.e., a “software/cybersecurity bill of materials”) corresponding with their medical devices. In particular, the guidance emphasizes components that are potentially more vulnerable to cybersecurity threats.

In a related development, the FDA announced efforts to establish information-sharing analysis organizations (ISAOs) to provide manufacturers and other interested stakeholders with a voluntary forum to deliberate about cybersecurity risks and escalating threats.