The FDA has become increasingly concerned about cybersecurity in medical devices. So they’ve just developed a draft guidance to identify cybersecurity issues for manufacturers to consider when preparing premarket submissions for medical devices. The new document is titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices – Draft Guidance for Industry and Food and Drug Administration Staff.” It is available from Document Center along with a number of other guidance documents related to this topic.
The trouble has surfaced as medical devices primarily used in hospital settings are increasingly linked to the Internet. Medical data is stored and used electronically to support initiatives like the Electronic Health Record. Several instances of intrusion and infection have hit a number of locations, including VA hospitals. And there are also questions as to the safety of even implanted devices like pacemakers and insulin pumps.
A recent Wall Street Journal article described the dangers that have engineers and FDA officials concerned. It focuses on the risk of attack by computer viruses and malware in hospitals and clinics. Of course, since many medical devices are connected to internal, and by extension external, networks in these types of settings, it is not surprising that they suffer from the same vulnerabilities as the rest of connected devices.
The other 2 guidance documents on the topic are the “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices” and “Guidance for Industry – Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software.” Both of these publications were released in 2005, so the new Guidance Draft for Cybersecurity just released is the only new information on the topic since then.
Do be aware that “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices – Draft Guidance for Industry and Food and Drug Administration Staff” has been released in order to stimulate discussion. It is still a draft document.
FDA guidance documents do not establish legally enforceable responsibilities for medical device manufacturers. But they do describe FDA’s current thinking on a given topic and should be taken seriously by those submitting products for FDA approval.
FDA documents can be purchased from Document Center’s web store, www.document-center.com. Or you can contact us by phone (650-591-7600), fax (650-591-7617) or email (info@document-center.com). We began tracking these documents due to our customer requests for monitoring services for this important document set. We remain one of the few resources you have for keeping informed of these types of regulatory releases.
To see more recent FDA guidance document releases, see my Document Center Blog on New FDA Medical Device Guidelines for the 1st Quarter 2013.
