The FDA has released draft guidance on medical device cybersecurity for consultation.
Headline changes to the cybersecurity guidance include the recommended creation of lists of all hardware and software components used in a device that could be vulnerable to attack.
The FDA thinks the changes will make premarket review more efficient and thereby help new, secure versions of devices get to market sooner.
Cybersecurity has raced up the FDA’s list of priorities in recent years. This month alone, the agency has issued a playbook to help healthcare providers prevent and manage attacks, tightened its cybersecurity ties to Homeland Security and posted an alert about a weakness in the defenses of Medtronic devices.
Now, four years after finalizing its guidance on medical device cybersecurity, the FDA has published a draft update to the text. The relatively short gap between the final and draft documents reflects the pace of change in cybersecurity.
“Because of the rapidly evolving nature of cyber threats, we’re updating our guidance to make sure it reflects the current threat landscape so that manufacturers can be in the best position to proactively address cybersecurity concerns,” FDA commissioner Scott Gottlieb said in a statement.
The FDA is using the update to introduce some new concepts. The agency is recommending that device manufacturers include a cybersecurity bill of materials (CBOM) in their product labeling. CBOMs are lists of components that the FDA sees as a “critical element in identifying assets, threats and liabilities.”
Other proposed changes include the creation of two tiers of medical devices defined by cybersecurity risk. The FDA plans to classify connected products that could directly harm patients if hacked as Tier 1 devices. All other devices will fall into Tier 2. By dividing devices by cybersecurity risk, the FDA thinks it will help companies design secure products and provide appropriate supporting documentation to its staff.
The FDA is accepting feedback on the draft for 150 days and will hold a public workshop in January to give parties a chance to discuss and ask questions about the proposed changes.