|
 "Cybersecurity threats to medical devices are a growing concern,"
the agency said in a statement. "The exploitation of cybersecurity
vulnerabilities presents a potential risk to the safety and
effectiveness of medical devices."
The draft guidance, which is not legally binding, recommends
companies take a number of actions, including monitoring and
assessing risk, coordinating efforts by companies, government and
other groups do disclose vulnerabilities, and taking measures to
address cybersecurity risk early.
Most cybersecurity vulnerabilities are considered routine and can be
remedied by updates or patches which would not need to be reported
under the proposed guidance, the agency said. Companies would be
required to report vulnerabilities that could compromise clinical
performance of the device and risk a patient's health.
The guidance covers how companies should monitor devices once they
have been cleared for marketing. The agency previously issued
guidance for companies still in the development stage to help inform
design choices.
Joshua Corman, founder of I Am The Cavalry, a cybersafety advocacy
group who worked with the FDA on the guidance, said he was extremely
encouraged by the agency's action.
[to top of second column] |
"I have found the FDA has been very forward thinking to get out in
front of this and not wait for proof of harm before acting," he
said.
The proposed guidance will be open for public comment for 90 days,
after which the FDA will issue final guidance. The agency is holding
a public cybersecurity workshop at its headquarter in Silver Spring,
Maryland on Jan. 20-21. The workshop will focus on "unresolved gaps
and challenges that have hampered progress in advancing medical
device cybersecurity."
(Reporting by Toni Clarke in Washington; editing by Paul Simao and
David Gregorio)
[© 2016 Thomson Reuters. All rights
reserved.] Copyright 2016 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
