The FDA’s New Cybersecurity Guidance for Medical Devices Reminds Us That Safety & Security Go Hand in Hand

The FDA’s New Cybersecurity Guidance for Medical Devices Reminds Us That Safety & Security Go Hand in Hand


It’s hard to believe, but manufacturers of medical devices that are subject to pre-market approval by the Food and Drug Administration (the FDA’s review process to evaluate the safety and effectiveness of medical devices) class III) continue to operate under the original FDA medical device cybersecurity guidance since 2014. and a later update in 2018. But that is about to change significantly.

Instead of finalizing the 2018 pre-market cybersecurity guide, the FDA has decided to issue a new version of 2022 to reflect the rapid evolution of cybersecurity, incorporating a new set of quality system (QSR) regulations. with significant changes to its 2018 predecessor.

New FDA draft guidance
The new draft guidance, entitled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” addresses a myriad of design, labeling, and documentation issues that medical device manufacturers will need to address before its new devices can get pre-market from the FDA. approval.

The original FDA cybersecurity guide was only nine pages long, while the 2022 version is up to 50 pages, reflecting advances in the cybersecurity ecosystem and best practices. It seems that when the medical devices connected to the market are approved, the FDA will take a long look at how cybersecurity is implemented, especially when it comes to levels of risk to patient safety.

Updated regulations: why now?
Requiring more cybersecurity measures to protect medical devices and their operational and patient data is vital, as the healthcare industry has become a massive target of cyberattacks. Data breaches reached an all-time high in 2021, exposing a record volume of protected health information. In addition to stealing data, an increasing number of breaches attempt to disrupt the proper functioning of medical devices, such as computed tomography and magnetic resonance imaging machines, which can lead to misdiagnosis, unnecessary medical procedures, or direct harm to patients. .

The American Hospital Association’s senior cybersecurity and risk advisor has stated that medical devices used in hospital wards suffer from an average of 6.2 vulnerabilities. As devices become more complex and interconnected, the opportunities for cyberattackers to exploit vulnerabilities are growing, hence the need to update regulations.

Incorporation of cybersecurity into quality system regulations to enhance security
With the new guidance, the FDA aims to ensure that the next generation of medical devices is much safer and more secure throughout the life cycle of the device, from the pre-market and throughout its useful life, starting from the earliest stages of design. (change to the left). ) in post-production (upper-right).

With the proposed guidance, the FDA is redoubled its efforts to incorporate cybersecurity into quality regulations to address the complexity of modern devices and the current landscape of evolving threats.

From CBOM to SBOM: What’s the Difference?
Surprisingly, one of the main changes in the new guide is the leniency in requiring manufacturers to provide a complete list of software materials (SBOM) instead of a more tedious cybersecurity bill (CBOM), such as was required in the 2018 Material List. draft. Medical device manufacturers were rejecting the 2018 guidelines because of this rigor.

An SBOM is more in line with the cybersecurity standards of most industries and is in line with Executive Order 14028 recently issued by the Biden administration, “Improving the nation’s cybersecurity.” It contains all the necessary software packages (commercial and open source) and their versions.

The much more complicated CBOM, according to the 2018 guide, requires “a list of commercial, open source, and commercial software and hardware components to enable device users (including patients, caregivers, and delivery organizations). health care) manage their assets, understand the potential impact of the vulnerabilities identified on the device and the connected system, and deploy countermeasures to maintain the essential performance of the device. ”

A secure product development framework for every device
The latest guidance calls on medical device manufacturers to consider using a secure product development framework (SPDF) to achieve QSR goals: “An SPDF covers all aspects of a product’s life cycle. including development, launch, support and deactivation “.

In addition to complying with the draft guide, the call to use an SPDF can add significant value to medical devices. As the draft guideline states: “Using SPDF processes during device design may prevent the need to redesign your device when adding connectivity-based features after marketing and distribution, or when vulnerabilities are discovered which create uncontrolled risks. “

Is the new FDA guideline binding?
Until July 7, the FDA is inviting medical device manufacturers and the public to comment on the new draft, which is expected to be completed later this year, when it will become the FDA’s new cybersecurity guide for medical devices. While the FDA guidelines are not binding, the approved version will provide a roadmap on how medical device manufacturers should address cybersecurity in their products to ensure patient compliance and safety.

The FDA is not the only federal agency seeking to enforce cybersecurity regulations. Legislation called the Protection and Transformation of Cyber ​​Health Care Act (PATCH) was recently introduced in the United States Congress. The proposed act, EO, and other bills contain provisions that will strengthen the FDA’s ability to require medical device manufacturers to meet certain cybersecurity goals.

In order to secure the future for imminent legislation, medical device manufacturers should begin researching solutions that can generate detailed SBOMs and continuously detect vulnerabilities and mitigate risks to comply with the FDA’s 2022 guidelines and beyond.



Source link

Related post

HCL Group acquires majority stake in vernacular edtech platform GUVI

HCL Group acquires majority stake in vernacular edtech platform…

IT firm HCL Group has acquired a majority stake in vernacular edtech platform GUVI that offers technical courses, the company said…
NIT Srinagar’s Torus club organises model quiz

NIT Srinagar’s Torus club organises model quiz

Torus club of NIT Srinagar is organizing a modeling competition Posted on Friday, January 7, 2022 Srinagar, January 06: Torus-design thinking…
ADA Highlights the Best Ruby on Rails Development Companies

ADA Highlights the Best Ruby on Rails Development Companies

Chained by competition rather than obsolescence, Ruby on Rails remains preferred by many web development companies” – ADA Reports! UNITED STATES,…

Leave a Reply

Your email address will not be published.