FDA Issues Guidance On Cybersecurity of Medical Devices
The Security Ledger reports that the U.S. Food and Drug Administration (FDA) has issued final guidance on Wednesday that calls on medical device manufacturers to consider cyber security risks as part of the design and development of devices. The document, "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices," asks device makers seeking FDA approval of medical devices to disclose any "risks identified and controls in place to mitigate those risks" in medical devices. The guidance also recommends that manufacturers submit documentation of plans for patching and updating the operating systems and medical software that devices run. While the guidance does not have the force of a mandate, it does put medical device makers on notice that FDA approval of their device will hinge on a consideration of cyber risks alongside other kinds of issues that may affect the functioning of the device. Among other things, medical device makers are asked to avoid worst-practices like 'hardcoded' passwords and use strong (multi-factor) authentication to restrict access to devices. Device makers are also urged to restrict software and firmware updates to authenticated (signed) code and to secure inbound and outbound communications and data transfers.
.
The Security Ledger reports that the U.S. Food and Drug Administration (FDA) has issued final guidance on Wednesday that calls on medical device manufacturers to consider cyber security risks as part of the design and development of devices. The document, "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices," asks device makers seeking FDA approval of medical devices to disclose any "risks identified and controls in place to mitigate those risks" in medical devices. The guidance also recommends that manufacturers submit documentation of plans for patching and updating the operating systems and medical software that devices run. While the guidance does not have the force of a mandate, it does put medical device makers on notice that FDA approval of their device will hinge on a consideration of cyber risks alongside other kinds of issues that may affect the functioning of the device. Among other things, medical device makers are asked to avoid worst-practices like 'hardcoded' passwords and use strong (multi-factor) authentication to restrict access to devices. Device makers are also urged to restrict software and firmware updates to authenticated (signed) code and to secure inbound and outbound communications and data transfers.
.