The guidance identifies cybersecurity issues that manufacturers should consider – to maintain confidentiality, integrity and availability of information – in preparing premarket submissions. FDA's main concern relates to the frequent exchange of medical device-related health information and, among other things, having a plan to manage system or software updates.
Specific concerns also include:
- Malware infections on medical devices and/or computers, tablets and smartphones that are used to access patient data
- Unsecured or uncontrolled passwords
- Untimely updates / patches to security systems
- Other security vulnerabilities
FDA also provided some general management approaches to control risks, such as:
- Identifying threats and vulnerabilities
- Assessing the impact of those identified (and whether the impacts will be felt by patients or in device functionality)
- Assessing the likelihood of threats
- Determining risk levels and mitigation strategies
- Assessing residual risk and risk acceptance criteria
Although described as recommendations, manufacturers should take special care to act in compliance with the suggested actions or risk later accusations of sub-standard cybersecurity.
As always, a review of these topics should also trigger a review of insurance strategies as a component of risk management. Simply put, manufacturers need to periodically assess the extent of their insurance coverage consistent with the ongoing assessment of cybersecurity risks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.