As part of it overall effort to ensure the safety of patients, the U.S. Food and Drug Administration (FDA) has issued a draft guidance document detailing steps that medical device manufacturers should take to address potential post-market cybersecurity risks associated with modern medical devices.
Published in January 2016, the draft guidance includes recommendations applicable to the monitoring of cybersecurity risks, and the identification and mitigation of cybersecurity vulnerabilities of medical devices on the market. Specifically, the draft guidance recommends that device manufacturers develop a comprehensive cybersecurity risk management program that regularly assesses cybersecurity vulnerabilities and includes plans for proactively addressing identified risks.
The draft guidance document also encourages the sharing of threat information through participation in an Information Sharing Analysis Organization (ISAO), a public/private collaboration that shares cybersecurity information among members.
The FDA will accept public comments on the draft guidance document through mid-April 2016.