Calling medical device cybersecurity "a shared responsibility between stakeholders including health care facilities, patients, providers, and manufacturers of medical devices," the U.S. Food and Drug Administration (FDA) has issued draft guidance for postmarket management of cybersecurity risks. The draft guidance recommends working with the National Institute for Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity as part of the risk management program, including its critical elements: identify, protect, detect, respond, and recover. FDA clarifies in the guidance that it will not need to conduct premarket review to approve routine medical device software updates, and that manufacturers should be prompt in deploying them to address identified vulnerabilities. The draft guidance also outlines situations in which identified vulnerabilities would meet medical device reporting requirements and the information that such reports should contain.
HRC Recommends: The connectivity and ubiquity of medical devices provides both opportunities and risks. Risk managers and others responsible for cybersecurity at the healthcare system should review the FDA draft guidance and consider commenting by the deadline.